| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Feb 2016 18:44:32 +0100
From: Jernej Simončič <jernej|s-os@...rnallybored.org>
To: "Stefan Kanthak" <stefan.kanthak@...go.de>, fulldisclosure@...lists.org
Cc: bugtraq@...urityfocus.com
Subject: Re: [FD] Executable installers are vulnerable^WEVIL (case 26): the
installer of GIMP for Windows allows arbitrary (remote) and escalation of
privilege
On 23. februar 2016, 17:37:54, Stefan Kanthak wrote:
> Proof of concept/demonstration:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[snip]
> PWNED!
Can't reproduce - tested on Windows XP SP3, Windows 7 x64 SP1 and
Windows 10 x64 (10586.104), and I tested not only with
gimp-2.8.16-setup-1.exe, but also with gimp-2.8.14-setup-1.exe and
gimp-2.8.10-setup.exe - none of them triggered anything from
sentinel.dll/uxtheme.dll.
This is what I expected - the way Inno Setup works, the downloaded
executable installer has a stub which extracts the real installer to a
subdirectory of %TEMP%, and runs it from there; the stub's UI is
limited to a simple MessageBox call in case the extraction fails - it
does not link to uxtheme.dll at all.
--
< Jernej Simončič ><><><><><><><><><><><>< http://eternallybored.org/ >
Because 10 billion years' time is so fragile, so ephemeral...
it arouses such a bittersweet, almost heartbreaking fondness.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists