T 3.112 Unauthorised or incorrect use of images when using Windows DISM

DISM (Deployment Image Servicing and Management) is a command line tool in Windows Vista Service Pack 2 and higher. It can be used to perform wide-ranging configuration changes to Windows installations in image files of hard disks. DISM can be applied to Windows Image Format files (WIM) as well as virtual hard disks (VHD). Both are used in customised provision of a Windows system. In some cases, it is also possible to apply DISM to running systems.

Unauthorised changes could be made to installation sources or IT systems without being noticed, either accidentally or by an attacker. Both cases can result in disruptions to the provision process, damage to the security configuration of the installation, and also the circulation of malicious codes.

The Windows image format is a file-based image format (WIM) which may contain installation sources for Windows Vista or Server 2008 and higher versions. A WIM file can contain more than one Windows edition.

The most important functions of DISM are:

• Windows Edition Servicing Commands for changing the Windows image
• Unattended Servicing Commands for implementing changes without user interaction
• Driver Servicing Commands for integration of device drivers in an image
• International Servicing Commands for configuration of language packs
• Application Servicing Commands for integration of applications in images
• Package Servicing Commands for integration of packages in images or running systems

In particular, the command /Apply-Unattended in the Unattended Service Commands can be used to import individual files containing malicious codes to an existing image, without this being noticed by the administrator responsible. This feature is particularly critical in connection with the optional specification of a control file in XML format, since it allows automatic installation of several files.

The Application Servicing Commands can be used to identify whether a specific application is contained in an image. This can be achieved, for example, by means of the command /Get-AppInfo. Alternatively, all applications contained in an image can be listed by means of the command /Get-Apps. The list of the files contained in the image makes it possible to attempt attacks against specific software versions.

The commands /Add-Package and /Remove-Package in the Package Servicing Commands make it possible to replace entire packages under Windows 7 by means of DISM. This makes it easier for a potential attacker to replace files, since several files can be replaced at a time using only one command.

Large collective images allow too much room for uncontrolled changes with potentially adverse impacts on the later installation. Individual software components in a collective image can be enabled by means of /Enable-Feature and /Disable-Feature. There is no declaration or clear definition. For example, there is a risk that unauthorised changes are malevolently or negligently introduced in the provision process, with the consequence that the number of possible points of attack increases unnecessarily and the systems fail to meet the the expected conformity.