| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Jan 2016 11:06:43 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers are vulnerable^WEVIL (case 18):
EMSISoft's installers allow arbitrary (remote) code execution
and escalation of privilege
Hi @ll,
EmsisoftAntiMalwareSetup.exe as well as
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
EmsisoftHiJackFreeSetup.exe load and execute UXTheme.dll (plus
other DLLs like RichEd20.dll and RichEd32.dll) eventually found
in the directory they are started from (the "application directory").
For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art"
about this well-known and well-documented vulnerability.
If one of the DLLs named above gets planted in the user's "Downloads"
directory per "drive-by download" or "social engineering" this
vulnerability becomes a remote code execution.
Due to the application manifest embedded in the executables which
specifies "requireAdministrator" or the installer detection of
Windows' user account control (under Windows XP the installers
request to be started with administrative privileges by themselves)
the installers are run with administrative privileges ("protected"
administrators are prompted for consent, unprivileged standard users
are prompted for an administrator password); execution of any
hijacked DLL results in an escalation of privilege!
See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details and why
executable installers (and self-extractors too) are bad and should be
dumped.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
as UXTheme.dll in your "Downloads" directory, then copy it as
RichEd20.dll and RichEd32.dll;
2. download EmsisoftAntiMalwareSetup.exe respectively
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
EmsisoftHiJackFreeSetup.exe and save them in your "Downloads"
directory;
3. execute EmsisoftAntiMalwareSetup.exe respectively
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
EmsisoftHiJackFreeSetup.exe from your "Downloads" directory;
4. notice the message boxes displayed from the DLLs placed in
step 1.
PWNED!
Additionally the installers create unsafe temporary directories
%TEMP%\is-*.tmp to unpack their payload and execute it from there.
An unprivileged user can overwrite/modify these files between their
extraction and execution, or copy UXTheme.dll plus MSImg32.dll, on
Windows Vista and newer versions of Windows additionally Version.dll
into %TEMP%\is-*.tmp. These DLLs are loaded from the unpacked
%TEMP%\is-*.tmp\Emsisoft*.tmp too.
PWNED again.
stay tuned
Stefan Kanthak
PS: I really LOVE (security) software with such trivial beginner's
errors. It's a tell-tale sign to stay away from such crapware!
Timeline:
~~~~~~~~~
2015-12-19 three reports sent to vendor
2015-12-21 vendor replies to one report:
"we ignore your report since we don't offer
EmsisoftHiJackFreeSetup.exe any more."
2015-12-21 OUCH!
<http://download2.emsisoft.com/EmsisoftHiJackFreeSetup.exe>
NO ANSWER, not even an acknowledgement of receipt
for the other two reports
2015-12-29 reports resent to vendor
NO ANSWER, not even an acknowledgement of receipt
2016-01-07 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists