lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 2 Jan 2017 12:53:28 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Executable installers are vulnerable^WEVIL (case 45):
	ReadPDF's installers allow escalation of privilege

Hi @ll,

the executable installer "InstallTinyPDF.exe", available from
<>, is (surprise.-) vulnerable:

1. DLL hijacking (this is well-known and well-documented; see
   <> and

   "InstallTinyPDF.exe" loads and executes UXTheme.dll and/or
   DWMAPI.dll from its "application directory" instead Windows'
   "system directory", resulting in arbitrary code execution".

   The "application directory" is typically the user's "Downloads"
   directory; see
   and <>

   If UXTheme.dll or DWMAPI.dll get planted for example per
   "drive-by download" in the users "Downloads" directory this
   vulnerability becomes a remote code execution.

2. Unsafe TEMP directory (this is well-known and well-documented;
   see <>
   and <>)

   "InstallTinyPDF.exe" creates a temporary (sub)directory
   "%TEMP%\is-<random>.tmp\" into which it extracts embedded DLLs
   (_ShFolder.dll [*], ...) and an embedded subinstaller (is-*.tmp)
   which it executes then ELEVATED, i.e. with administrative

   Since the temporary (sub)directory is unprotected (it inherits
   the NTFS ACL from its parent "%TEMP%\") the extracted executables
   can be overwritten the between their creation and execution by
   the unprivileged user, resulting in arbitryry code execution with
   escalation of privilege.

   Additionally (really: of course) "%TEMP%\is-<random>.tmp\is*-tmp"
   is vulnerable to DLL hijacking too: it loads UXTheme.dll and/or
   DWMAPI.dll and some more DLLs from its "application directory"
   "%TEMP%\is-<random>.tmp\", which can be placed there by the
   unprivileged user, again resulting in arbitrary code execution
   with elevation of privilege.

JFTR: InstallTinyPDF.exe is built using the crapware InnoSetup!


* Don't use executable installers! NEVER!
  Don't use self-extractors! NEVER!

  See <> and
  <> plus
  <!execute.html> alias
  <!execute.html> for more

* Practice STRICT privilege separation: NEVER use the so-called
  "protected" administrator account(s) created during Windows
  setup which use the same "%TEMP%" for unprivileged and privileged

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


Write a windows-conformant .INF to install the printer driver
(see <>), then
use MakeCAT.exe to create a .CAT and SignTool.exe to sign it.

See <>
and <>
plus <>
for the description of these development tools.

With this TINYPDF.INF the printer driver can be installed via
"Add Printer" as well as the following command lines:

* "%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\PrintUI.dll",PrintUIEntry /if /f "<path>\TINYPDF.INF" /m TinyPDF /r
  (see <>)

* DISM.exe /Image:<path> /Add-Driver /Driver:"<path>\TINYPDF.INF" ...
  (see <>)

* DPInst.exe ... which I but DON'T recommend!
  (see <>)

Even Windows' setup can import it automatically from \$WinPEDriver$\
into the driver store (see

JFTR: there is ABSOLUTELY no need for executable installers on
      Windows! DUMP THIS CRAP!

stay tuned
Stefan Kanthak

[*] ShFolder.dll is cruft from the last millennium, it was used
    on Windows 9x without Internet Explorer 4; see
    Since Windows 2000 there is ABSOLUTELY no need to use this


2012-05-24    vulnerability report sent to vendor (yes, 2012-05-24!)

              no reply, not even an acknowledgement of receipt

2016-06-06    vulnerability report sent to vendor

              no reply, not even an acknowledgement of receipt

2017-01-02    report published

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists