lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 31 Dec 2015 07:37:20 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Executable installers are vulnerable^WEVIL (case 16): Trend
	Micro's installers allows arbitrary (remote) code execution

Hi @ll,

TrendMicro_MAX_10.0_US-en_Downloader.exe (available from
loads and executes ProfAPI.dll and UXTheme.dll (and other DLLs
too) eventually found in the directory it is started from
(the "application directory").

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
and <>

If one of the DLLs named above gets planted in the user's
"Downloads" directory per "drive-by download" or "social
engineering" this vulnerability becomes a remote code execution.

Proof of concept/demonstration:

1. visit <>, download
   <>, save it
   as UXTheme.dll in your "Downloads" directory, then copy it as

2. download TrendMicro_MAX_10.0_US-en_Downloader.exe and save it
   in your "Downloads" directory;

3. execute TrendMicro_MAX_10.0_US-en_Downloader.exe from your
   "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in step 1.


For a denial of service instead of arbitrary (remote) code execution
copy the downloaded UXTheme.dll as OLEAcc.dll and WinSpool.drv.
This is easily turned into arbitrary (remote) code execution too:
just add the exports OpenPrinterW, ClosePrinter and DocumentPropertiesW
respectively LresultFromObject and CreateStdAccessibleObject to the DLL.

See <> and
<> as well as
<> and the still unfinished
<!execute.html> for more details about
this well-known and well-documented BEGINNER'S error and why
executable installers (and self-extractors too) are bad.

Additionally, TrendMicro_MAX_10.0_US-en_Downloader.exe creates an
unsafe temporary directory where it unpacks its payload to and 
executes it from.

...\TrendMicro_MAX_10.0_US-en_Downloader\Agent\TisEzIns.exe loads
and executes multiple DLLs too from its unsafe application directory:
ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, UXTheme.dll and
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll
and OLEAcc.dll

Proof of concept/demonstration:

5. unpack TrendMicro_MAX_10.0_US-en_Downloader.exe (basically a
   7-Zip self-extractor) into an arbitrary directory, say "%TEMP%"
   (this creates a subdirectory "%TEMP%\Agent" with the payload);

6. copy the downloaded UXTheme.dll from step 1 into "%TEMP%\Agent",
   then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll,
   Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll
   and OLEAcc.dll there;

7. execute "%TEMP%\Agent\TisEZIns.exe";

8. notice the message boxes displayed from the DLLs placed in steps 5
   and 6.


stay tuned
Stefan Kanthak


2015-12-20    multiple reports sent to vendor

2015-12-20    one report bounced due to braindead mail setup by vendor

2015-12-20    resent bounced report via alternative provider

2015-12-21    vendor acknowledges receipt and names further contact

2015-12-28    vendor verifies reports, can reproduce it on Windows 7

2015-12-30    vendor asks for verification:
              "We did not reproduce the vulnerability relating to
               ProfAPI.dll and UXTheme.dll on Windows 7."

2015-12-31    sent verification to vendor

2015-12-31    bounced due to braindead mail setup by vendor

<>: host[]
    said: 554 5.7.1 <>: Recipient address
    rejected: ERS-RBL. (in reply to RCPT TO command)

<>: host[]
    said: 550 5.7.1 Service unavailable; Client host [] blocked
    using Trend Micro RBL+. Please see; Mail
    from blocked using Trend Micro Email Reputation database.
    Please see <>;
    from=<<> ; SIZE=8184> to=<<>
    ; ORCPT=rfc822;> proto=ESMTP
    helo=<> (in reply to end of DATA command)

2015-12-31    report published: vendor is obviously not interested in

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists