lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <6304726694FF404D8BA16439CE13F185@W340>
Date: Sun, 6 Mar 2016 20:06:20 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: <bugtraq@...urityfocus.com>
Subject: Executable installers are vulnerable^WEVIL (case 30): clamwin-0.99-setup.exe allows arbitrary (remote) code execution WITH escalation of privilege

Hi @ll,

the executable installer clamwin-0.99-setup.exe (available from
<http://www.clamwin.com/download>) loads and executes DWMAPI.dll
or UXTheme.dll from its "application directory".


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places one of the above named DLL in the user's
"Downloads" directory (for example per "drive-by download"
or "social engineering") this vulnerability becomes a remote
code execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   DWMAPI.dll;

2. download clamwin-0.99-setup.exe and save it in your "Downloads"
   directory;

3. execute clamwin-0.99-setup.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
   step 1.

PWNED!


See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/32> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!  


stay tuned
Stefan Kanthak


PS: I really LOVE (security) software with such trivial beginner's
    errors. It's a tell-tale sign to stay away from this snakeoil!


Timeline:
~~~~~~~~~

2016-03-06    sent vulnerability report to authors

<security@...mwin.com>: host aspmx.l.google.com[64.233.184.26] said: 550-5.1.1
    The email account that you tried to reach does not exist. Please try
    550-5.1.1 double-checking the recipient's email address for typos or
    550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1
    https://support.google.com/mail/answer/6596 y186si9894139wmy.43 - gsmtp (in
    reply to RCPT TO command)

<clamwin@...net>: host mx.sourceforge.net[216.34.181.68] said: 550 unknown user
    (in reply to RCPT TO command)

2016-03-06    report published

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ