lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 22 Dec 2015 00:52:16 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Executable installers are vulnerable^WEVIL (case 14): Rapid7's
	ScanNowUPnP.exe allows arbitrary (remote) code execution

Hi @ll,

the executable installer [°]['] (rather: the 7-Zip based executable
self-extractor [²]) of Rapid7's (better known for their flagship
Metasploit) ScanNowUPnP.exe loads and executes several rogue/bogus
DLLs eventually found in the directory it is started from (the
"application directory"), commonly known as "DLL hijacking".

For software downloaded with a web browser the application directory
is typically the "Downloads" directory: see
and <>

See the comprehensive write-up on Rapid7's community blog:

Especially note that Rapid7 removed the now deprecated ScanNowUPnP.exe
and advises all users to remove it from any system that still has it.

stay tuned
Stefan Kanthak

[°] <>

['] <>

[²] <>

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists