lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 31 Dec 2016 13:16:30 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Executable installers are vulnerable^WEVIL (case 43):
	SoftMaker's Office service pack installers allow escalation
	of privilege

Hi @ll,

the service pack installers for SoftMaker Office 201x, available
from <>,
are (surprise.-) vulnerable.

The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH),
creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract
its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe".

"%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent
"%TEMP%\", i.e. allows full access for the UNPRIVILEGED user.

For this well-known vulnerability see
<> and

Due to the embedded application manifest which specifies
"requireAdministrator" the executable installer can only be run
with administrative rights.

JFTR: if written properly, it would create a PROTECTED directory
      "%TEMP%\7zSxxxxxxxx\", writable only for privileged users!

The UNPRIVILEGED user as well as any program running with the
users credentials can modify the extracted files, for example
"%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with
administrative rights, resulting in arbitrary code execution
with elevation of privilege.

Additionally "spsetup.exe" is vulnerable to DLL hijacking,
another well-known vulnerability.
See <>,
<> and
<> plus

Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the
unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which
are loaded by "spsetup.exe", again resulting in arbitrary code
execution with elevation of privilege!


0. download <> and
   save it in an arbitrary directory;

1. download <>
   (see <> alias
   <>) and
   save it in an(other) arbitrary directory;

2. save the following batch script in same the directory as

--- OFW16_873.CMD ---
@If Not Exist "%TEMP%\7z*" Goto :WAIT
For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%!
--- EOF ---

3. start the batch script;

4. execute ofw16_873.exe and notice the message boxes displayed


5. download <>
   to the same directory as the batch script;

6. in the batch script replace the 3 lines Copy ... with
   Copy "SENTINEL.EXE" "%foobar%\spsetup.exe"

7. start the batch script;

8. execute ofw16_873.exe and notice the message box displayed



* Don't use executable installers! NEVER!
  Don't use self-extractors! NEVER!

  See <> and
  <> plus
  <!execute.html> alias
  <!execute.html> for more

* Practice STRICT privilege separation: NEVER use the so-called
  "protected" administrator account(s) created during Windows
  setup which use the same "%TEMP%" for unprivileged and privileged

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".

stay tuned
Stefan Kanthak


2016-12-15    sent vulnerability report to vendor

              no reply, not even an acknowledegement of receipt

2016-12-23    resent vulnerability report to vendor, cc CERT at 
              german BSI

              no reply, not even an acknowledegement of receipt

2016-12-27    CERT at german BSI contacts vendor offering help

              no reply, not even an acknowledegement of receipt

2016-12-31    report published

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists