| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3BDBAF04307843C1AF503A177FD2625B@W340>
Date: Fri, 13 Jan 2017 22:48:59 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Executable installers are vulnerable^WEVIL (case 44):
SoftMaker's FlexiPDF installers allow escalation of privilege
Hi @ll,
the executable installers of SoftMaker's FlexiPDF,
<http://www.softmaker.net/down/flexipdf2017.exe> and
<http://www.softmaker.net/down/flexipdfbasic2017.exe>, built
with the crapware known as "InnoSetup", are vulnerable to DLL
hijacking: they load Windows DLLs from their "application
directory" instead Windows' "system directory": on Windows 7
at least UXTheme.dll and DWMAPI.dll.
This well-known and well-documented vulnerability allows
arbitrary code execution with the credentials of the current user.
Additionally the executable installers create an unsafe directory
"%TEMP%\is-*.tmp\" to extract an executable file "flexipdf2017.tmp"
or "flexipdfbasic2017.tmp" which they execute with administrative
privileges.
Both "flexipdf2017.tmp" and "flexipdfbasic2017.tmp" load multiple
Windows DLLs from their "application directory" "%TEMP%\is-*.tmp\":
on Windows 7 at least MSImg32.dll, Version.dll, MPR.dll, UXTheme.dll,
DWMAPI.dll
"Thanks" to the unsafe and unprotected directory "%TEMP%\is-*.tmp\"
an unprivileged attacker can place these DLLs there, resulting in
arbitrary code execution WITH elevation of privilege.
See <http://seclists.org/fulldisclosure/2015/Dec/33>,
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>
and <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
for more details.
See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html> and
<https://capec.mitre.org/data/definitions/471.html> plus
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> for these
well-known and well-documented vulnerabilities.
Mitigations:
~~~~~~~~~~~~
* Don't use executable installers! NEVER!
Don't use self-extractors! NEVER!
See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
information.
* Practice STRICT privilege separation: NEVER use the so-called
"protected" administrator account(s) created during Windows
setup which use the same "%TEMP%" for unprivileged and privileged
processes!
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-12-29 sent vulnerability report to vendor and german CERT
at the BSI
No reply, not even an acknowledgement of receipt
2017-01-03 german CERT contacts vendor, offering support and
asking for vendors security officer
No reply from vendor
2017-01-05 resent vulnerability report to vendor
No reply, not even an acknowledgement of receipt
2017-01-13 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists