[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1FACC2E11E14BBBBB0518B5796C08BC@W340>
Date: Thu, 17 Nov 2016 17:46:31 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Executable installers are vulnerable^WEVIL (case 41): EmsiSoft's Emergency Kit allows elevation of privilege for everybody
Hi @ll,
in response to <http://seclists.org/fulldisclosure/2016/Jan/24>
EmsiSoft fixed some of the DLL hijacking vulnerabilities in some
of their executable installers and unpackers.
EmsisoftEmergencyKit.exe still has beginner's errors which allow
escalation of privilege for EVERY local user:
0. while the self-extracting WinRAR archive EmsisoftEmergencyKit.exe
doesn't load DLLs from its "application directory" any more, its
payload but shows this vulnerability!
1. due to "requireAdministrator" in its application manifest the
self-extractor runs with administrative rights, although it
neither needs them nor uses them.
2. it creates the directory "%SystemDrive%\EEK" and unpacks its
payload into it.
JFTR: since it runs with administrative rights the self-
extractor could create "%SystemDrive%\EEK" with an ACL
that only allows write-access for administrators, or
use "%ProgramFiles%\EmsiSoft\Emergency Kit" instead.
This directory inherits the ACL of its parent, %SystemDrive%,
which allows write access for unprivileged users; they can thus
modify all files extracted there or add files, for example a
"%SystemDrive%\EEK\Version.dll".
Also give NetAPI32.dll, NetUtils.dll, SrvCli.dll, WksCli.dll,
PropSys.dll, AppHelp.dll, NTMarta.dll, Secur32.dll, MPR.dll and
CSCAPI.dll a try.
3. the programs "%SystemDrive%\EEK\Start Commandline Scanner.exe"
and "%SystemDrive%\EEK\Start Emergency Kit Scanner.exe" have
"requireAdministrator" in their application manifests too: they
load and execute the DLLs named above from "%SystemDrive%\EEK"
with administrative rights.
4. the other programs extracted to "%SystemDrive%\EEK\bin32" and
"%SystemDrive%\EEK\bin64" and are also run with administrative
rights.
5. of course the programs in "%SystemDrive%\EEK\bin32" and
"%SystemDrive%\EEK\bin64" load and execute DLLs from their
"application directory" (which is writable for everyone) too.
And one more:
6. the OpenSSL libraries shipped are from version 1.0.2d and have
multiple vulnerabilities which have beed fixed in version 1.0.2j.
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-08-29 vulnerability report sent to vendor
2016-08-29 vendor acknowledges vulnerability, promises to update
at least the OpenSSL libraries, and ask the author of
WinRAR to add a directive to protect the created EEK
directory
2016-11-17 vendor fixed NOTHING in the past ELEVEN weeks, and
does not react any more -> report published
Powered by blists - more mailing lists