| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Feb 2016 17:37:54 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers are vulnerable^WEVIL (case 26): the
installer of GIMP for Windows allows arbitrary (remote) and
escalation of privilege
Hi @ll,
the executable installer gimp-2.8.16-setup-1.exe (and of course
older versions too) available from <http://www.gimp.org/downloads/>
loads and executes UXTheme.dll from its "application directory".
For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art"
about this well-known and well-documented vulnerability.
If an attacker places UXtheme.dll in the users "Downloads"
directory (for example per drive-by download or social engineering)
this vulnerability becomes a remote code execution.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
it as UXTheme.dll in your "Downloads" directory;
2. download gimp-2.8.16-setup-1.exe from <http://www.gimp.org/downloads/>
and save it in your "Downloads" directory;
3. run gimp-2.8.16-setup-1.exe from the "Downloads" directory;
4. notice the message boxes displayed from UXTheme.dll placed in
step 1.
PWNED!
See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/33> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!
Additionally the installer creates and uses an UNSAFE temporary
directory %TEMP%\is-<random>.temp\.
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-01-29 sent vulnerability report
NO REPLY, not even an acknowledgement of receipt
2016-02-11 resent vulnerability report
NO REPLY, not even an acknowledgement of receipt
2016-02-23 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists