lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1FACC2E11E14BBBBB0518B5796C08BC@W340>
Date: Thu, 17 Nov 2016 17:46:31 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Executable installers are vulnerable^WEVIL (case 41): EmsiSoft's Emergency Kit allows elevation of privilege for everybody

Hi @ll,

in response to <http://seclists.org/fulldisclosure/2016/Jan/24>
EmsiSoft fixed some of the DLL hijacking vulnerabilities in some
of their executable installers and unpackers.

EmsisoftEmergencyKit.exe still has beginner's errors which allow
escalation of privilege for EVERY local user:

0. while the self-extracting WinRAR archive EmsisoftEmergencyKit.exe
   doesn't load DLLs from its "application directory" any more, its
   payload but shows this vulnerability!

1. due to "requireAdministrator" in its application manifest the
   self-extractor runs with administrative rights, although it
   neither needs them nor uses them.

2. it creates the directory "%SystemDrive%\EEK" and unpacks its
   payload into it.

   JFTR: since it runs with administrative rights the self-
         extractor could create "%SystemDrive%\EEK" with an ACL
         that only allows write-access for administrators, or
         use "%ProgramFiles%\EmsiSoft\Emergency Kit" instead.

   This directory inherits the ACL of its parent, %SystemDrive%,
   which allows write access for unprivileged users; they can thus
   modify all files extracted there or add files, for example a
   "%SystemDrive%\EEK\Version.dll".

   Also give NetAPI32.dll, NetUtils.dll, SrvCli.dll, WksCli.dll,
   PropSys.dll, AppHelp.dll, NTMarta.dll, Secur32.dll, MPR.dll and
   CSCAPI.dll a try.

3. the programs "%SystemDrive%\EEK\Start Commandline Scanner.exe"
   and "%SystemDrive%\EEK\Start Emergency Kit Scanner.exe" have
   "requireAdministrator" in their application manifests too: they
   load and execute the DLLs named above from "%SystemDrive%\EEK"
   with administrative rights.

4. the other programs extracted to "%SystemDrive%\EEK\bin32" and
   "%SystemDrive%\EEK\bin64" and are also run with administrative
   rights.

5. of course the programs in "%SystemDrive%\EEK\bin32" and
   "%SystemDrive%\EEK\bin64" load and execute DLLs from their
   "application directory" (which is writable for everyone) too.

And one more:

6. the OpenSSL libraries shipped are from version 1.0.2d and have
   multiple vulnerabilities which have beed fixed in version 1.0.2j.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-08-29    vulnerability report sent to vendor

2016-08-29    vendor acknowledges vulnerability, promises to update
              at least the OpenSSL libraries, and ask the author of
              WinRAR to add a directive to protect the created EEK
              directory

2016-11-17    vendor fixed NOTHING in the past ELEVEN weeks, and
              does not react any more -> report published

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ