lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <DC17803E8D554F2B81F430BB0CC1A3EC@W340>
Date: Wed, 24 Feb 2016 08:59:11 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: Jernej Simončič <jernej|s-os@...rnallybored.org>,
 <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: [FD] Executable installers are vulnerable^WEVIL (case 26): the
	installer of GIMP for Windows allows arbitrary (remote) and
	escalation of privilege

"Jernej Simončič" <jernej|s-os@...rnallybored.org> wrote:

> On 23. februar 2016, 17:37:54, Stefan Kanthak wrote:
>
>> Proof of concept/demonstration:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>[snip]
>> PWNED!
>
> Can't reproduce - tested on Windows XP SP3, Windows 7 x64 SP1 and
> Windows 10 x64 (10586.104), and I tested not only with
> gimp-2.8.16-setup-1.exe, but also with gimp-2.8.14-setup-1.exe and
> gimp-2.8.10-setup.exe - none of them triggered anything from
> sentinel.dll/uxtheme.dll.

UXTheme.dll is loaded when "visual styles" and/or "themes" are
DISABLED (which is the case in my test systems), either via GUI, via

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="0"

or via stopping/disabling the "themes" service:

NET.EXE Stop Themes
SC.EXE Config Themes Start= Disabled

With "visual styles" and/or "themes" ENABLED DWMAPI.dll is loaded
instead of UXTheme.dll.

Additionally WindowsCodecs.dll is loaded if the caller is a
protected administrator, independent of the "visual styles" or
"themes" settings.

So "step 1" of the PoC needs to be modified as follows (the addition
is underlined) to cover these situations/preconditions:

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
   it as UXTheme.dll in your "Downloads" directory, then copy it
   as DWMAPI.dll and WindowsCodecs.dll there;     ~~~~~~~~~~~~~~
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> This is what I expected - the way Inno Setup works, the downloaded
> executable installer has a stub which extracts the real installer to a
> subdirectory of %TEMP%, and runs it from there; the stub's UI is
> limited to a simple MessageBox call in case the extraction fails - it
> does not link to uxtheme.dll at all.

This is plain wrong: InnoSetup extracts a stub (with the filename of
the executable, but the extension changed to .tmp) to an UNSAFE
subdirectory of %TEMP% and executes it from there.
gimp-2.8.16-setup-1.tmp is just 1.189.488 bytes small.

After the successful start of the extracted stub the downloaded .EXE
displays a dialog asking for the UI language.
DWMAPI.dll or UXTheme.dll is loaded by the downloaded .EXE before
this dialog is displayed.

Only if the extraction of this stub or its start fails then none of
these DLLs is loaded.


stay tuned
Stefan Kanthak


PS: you can blame InnoSetup (or Windows) for this behavior of your
    executable installer. This but doesn't fix this vulnerability,
    and it keeps all your users at risk.

    You need to have both the DLL hijacking AND the unsafe temporary
    subdirectory fixed.
    Your best way for this is: dump InnoSetup, create a .MSI instead!


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ