| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Jul 2016 15:32:34 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Executable installers are vulnerable^WEVIL (case 34):
Microsoft's vs-community-*.exe susceptible to DLL hijacking
Hi @ll,
the executable installer for Microsoft's Visual Studio 2015
Community Edition, available from <https://www.visualstudio.com/>,
is vulnerable to DLL hijacking: on a fully patched Windows 7 SP1
it loads the following DLLs from its "application directory"
instead of Windows' "system directory":
Version.dll, AppHelp.dll, NTMARTA.dll, CryptSP.dll, RPCRTRemote.dll
Additionally it loads API-MS-Win-Downlevel-ShlWAPI-L2-1-0.dll from
the PATH.
See <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0148>
or <https://technet.microsoft.com/library/security/MS16-041> and
<https://www.securify.nl/advisory/SFY20160201/_net_framework_4_6_allows_side_loading_of_windows_api_set_dll.html>
for a similar vulnerability.
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-06-01 sent vulnerability report to vendor plus US-CERT
NO RESPONSE from vendor, not even an acknowledgement
of receipt
2016-06-07 US-CERT tells me that Microsoft informed them that
they won't act on this report
still no response from vendor
2016-07-01 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists