lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 9 Oct 2017 13:32:48 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers are vulnerable^WEVIL (case 54):
	escalation of privilege with PostgresSQL installers for Windows

Hi  @ll,

the executable installers of PostgreSQL 10 for Windows,
1. PostgreSQL-10.0-1-win64-bigsql.exe, available from
   <https://www.openscg.com/bigsql/postgresql/installers.jsp/>
   via <https://www.postgresql.org/download/windows/>,
2. postgresql-10.0-1-windows.exe and
   postgresql-10.0-1-windows-x64.exe, available from
   <https://www.enterprisedb.com/downloads/postgres-postgresql-downloads#windows>
   via <https://www.postgresql.org/download/windows/>,
are vulnerable and defective:

Vulnerabilities
~~~~~~~~~~~~~~~

1.a) They load (on a fully patched Windows 7) the system DLLs
     UXTheme.dll, SAMCli.dll, SchedCli.dll, LogonCli.dll and
     CryptSP.dll from their "application directory" instead Windows'
     "system directory" %SystemRoot%\System32\, resulting in arbitrary
     code execution.

     For software downloaded with a web browser the "application directory"
     is typically the user's "Downloads" directory: see
     <http://seclists.org/fulldisclosure/2015/Nov/101> and
     <http://seclists.org/fulldisclosure/2015/Dec/86> plus
     <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
     <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
     <http://seclists.org/fulldisclosure/2012/Aug/134> and
     <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

     Also see <https://cwe.mitre.org/data/definitions/426.html>,
     <https://cwe.mitre.org/data/definitions/427.html>,
     <https://capec.mitre.org/data/definitions/471.html> and
     <https://skanthak.homepage.t-online.de/!execute.html>


     Thanks to the embedded application manifest which specifies
     "requireAdministrator" the installers will be started with
     administrative privileges ("protected" administrators are prompted
     for consent, unprivileged standard users are prompted for an
     administrator password), resulting in an escalation of privilege!

     If (one of) the DLLs named above get(s) planted in the users
     "Downloads" directory, for example per "drive-by download", this
     vulnerability becomes a remote code execution WITH escalation of
     privilege.

     Proof of concept:
     ~~~~~~~~~~~~~~~~~

     1. Visit <https://skanthak.homepage.t-online.de/sentinel.html>,
        download
        <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
        and save it as UXTheme.dll in your "Downloads" directory, then
        copy it as SAMCli.dll, SchedCli.dll, LogonCli.dll and CryptSP.dll;

     2. Download the executable installers
        <https://oscg-downloads.s3.amazonaws.com/packages/PostgreSQL-10.0-1-win64-bigsql.exe>
        <https://get.enterprisedb.com/postgresql/postgresql-10.0-1-windows-x64.exe>
        <https://get.enterprisedb.com/postgresql/postgresql-10.0-1-windows.exe>
        and save them in your "Downloads" directory;

     3. Start the downloaded installers; notice the message boxes
        displayed from the "sentinels": PWNED!


1.b) They create about a dozen DLLs with names BR*.TMP
     (as generated by Windows GetTempFileName() API, see
     <https://msdn.microsoft.com/en-us/library/aa364991.aspx>)
     in the user's (unprotected) %TEMP% directory and loads them
     during execution.

     See <https://cwe.mitre.org/data/definitions/377.html> and
     <https://cwe.mitre.org/data/definitions/379.html> for this
     well-known and well-documented weakness.

     An unprivileged attacker can modify these DLLs between their
     creation and loading, for example using the following (trivial)
     batch script, again resulting in arbitrary code execution with
     escalation of privilege!

     --- BITROCK.CMD ---
     :WAIT
     If Not Exist "%TEMP%\BR????.DLL" Goto :WAIT
     For %%! In ("%TEMP%\BR????.DLL") Do Copy "%USERPROFILE%\Downloads\UXTheme.dll" "%%!"
     --- EOF ---


Defects
~~~~~~~

2.a) they have INVALID PE (section) headers; Microsoft's DUMPBIN.EXE
     aborts with "access violation" (see below) due to the INVALID
     section name "/4"!

     From the PE/COFF specification, available via
     <https://www.microsoft.com/en-us/download/details.aspx?id=19509>

| Offset  Size  Field  Description
|      0     8  Name   An 8-byte, null-padded UTF-8 encoded string.
|                      If the string is exactly 8 characters long,
|                      there is no terminating null. For longer names,
|                      this field contains a slash (/) that is followed
|                      by an ASCII representation of a decimal number
|                      that is an offset into the string table.
|                      Executable images do not use a string table and do
|                      not support section names longer than 8 characters.
|                      Long names in object files are truncated if they
|                      are emitted to an executable file.


2.b) their IMPORT directory contains 2 IMAGE_IMPORT_DESCRIPTOR entries
     for msvcrt.dll.

     It should but have only 1 IMAGE_IMPORT_DESCRIPTOR per DLL!
     See the PE/COFF specification:

| Import Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.


Mitigations:
~~~~~~~~~~~~

* Don't build executable installers, they are almost always vulnerable!

  Create native installation packages for the respective OS instead.
  For Windows these are .MSI or .INF with .CAB.

* Don't use executable installers!

* stay FAR away from PostgreSQL for Windows!


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-02-17    vulnerability report sent to security@...tgresql.org

2017-02-18    reply from vendor:
              "the installers are built using Bitrock InstallBuilder
               which generates the final executable that the user
               downloads. I have therefore escalated this report to
               Bitrock's support team, and as soon as they have a
               solution will initiate a set of update releases for
               affected packages."

2017-10-05    PostgreSQL releases version 10, again sporting this
              vulnerability.

              Obviously both PostgreSQL and BitRock are unwilling,
              unable or just too incompetent to provide installers
              without well-known, trivial to detect and trivial to
              exploit vulnerabilities.

2017-10-09    report published


Evidence
~~~~~~~~

C:\Users\Stefan\Downloads>link.exe /dump PostgreSQL-10.0-1-win64-bigsql.exe

Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file PostgreSQL-10.0-1-win64-bigsql.exe

File Type: EXECUTABLE IMAGE

LINK : fatal error LNK1000: Internal error during DumpSections

  Version 8.00.50727.762

  ExceptionCode            = C0000005
  ExceptionFlags           = 00000000
  ExceptionAddress         = 00427362 (00400000) "C:\Program Files\...\LINK.EXE"
  NumberParameters         = 00000002
  ExceptionInformation[ 0] = 00000000
  ExceptionInformation[ 1] = 00000004

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ