lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <B33199EE31784324B74F84968FF8AFF4@W340> Date: Tue, 22 Dec 2015 00:52:16 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <fulldisclosure@...lists.org> Cc: <bugtraq@...urityfocus.com> Subject: Executable installers are vulnerable^WEVIL (case 14): Rapid7's ScanNowUPnP.exe allows arbitrary (remote) code execution Hi @ll, the executable installer [°]['] (rather: the 7-Zip based executable self-extractor [²]) of Rapid7's (better known for their flagship Metasploit) ScanNowUPnP.exe loads and executes several rogue/bogus DLLs eventually found in the directory it is started from (the "application directory"), commonly known as "DLL hijacking". For software downloaded with a web browser the application directory is typically the "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> See the comprehensive write-up on Rapid7's community blog: <https://community.rapid7.com/community/infosec/blog/2015/12/21/scannow-dll-search-order-hijacking-vulnerability-and-deprecation> Especially note that Rapid7 removed the now deprecated ScanNowUPnP.exe and advises all users to remove it from any system that still has it. stay tuned Stefan Kanthak [°] <http://seclists.org/fulldisclosure/2015/Nov/101> ['] <http://seclists.org/bugtraq/2015/Dec/112> [²] <http://seclists.org/bugtraq/2015/Dec/61>
Powered by blists - more mailing lists