lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Jan 2017 20:37:19 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C
	allows arbitrary code execution

Hi @ll,

the executable installers of "Pelle's C",
<> and,
<>, available
from <>, are vulnerable
to DLL hijacking: they load (tested on Windows 7) at least the
following DLLs from their "application directory" instead Windows'
"system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll,
RichEd20.dll and CryptBase.dll

See <>,
<> and
<> for this
well-known and well-documented vulnerability^WBEGINNER'S ERROR!

For programs downloaded from the internet the "application
directory" is typically the user's "Downloads" directory; see
and <>

If one of the DLLs named above is placed in the users "Downloads"
directory (for example per "drive-by download") this vulnerability
becomes a remote code execution.

JFTR: there is ABSOLUTELY no need for executable installers on
      Windows! DUMP THIS CRAP!

JFTR: naming a program "Setup.exe" is another beginner's error:
      Windows' does some VERY special things when it encounters
      this filename!


* Don't use executable installers! NEVER!
  Don't use self-extractors! NEVER!

  See <> and
  <> plus
  <!execute.html> alias
  <!execute.html> for more

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".

stay tuned
Stefan Kanthak


2017-01-05    sent vulnerability report to author

              no reply, not even an acknowledgement of receipt

2017-01-13    resent vulnerability report to author

              no reply, not even an acknowledgement of receipt

2017-01-21    report published

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists