| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJbwDgfafvB3QcEYHiqNCdM6pLo_D=EK=EeAiizk+pmjat-2=Q@mail.gmail.com> Date: Mon, 23 Jan 2017 08:53:55 +0100 From: Ding Dong <dingdongloop@...il.com> To: Stefan Kanthak <stefan.kanthak@...go.de> Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Re: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution Can you elaborate a bit on what special treatment windows gives installeres named setup.exe? On 21 January 2017 at 20:37, Stefan Kanthak <stefan.kanthak@...go.de> wrote: > Hi @ll, > > the executable installers of "Pelle's C", > <http://smorgasbordet.com/pellesc/800/setup64.exe> and, > <http://smorgasbordet.com/pellesc/800/setup.exe>, available > from <http://smorgasbordet.com/pellesc/index.htm>, are vulnerable > to DLL hijacking: they load (tested on Windows 7) at least the > following DLLs from their "application directory" instead Windows' > "system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll, > RichEd20.dll and CryptBase.dll > > See <https://cwe.mitre.org/data/definitions/426.html>, > <https://cwe.mitre.org/data/definitions/427.html> > <https://capec.mitre.org/data/definitions/471.html>, > <https://technet.microsoft.com/en-us/library/2269637.aspx>, > <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and > <https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this > well-known and well-documented vulnerability^WBEGINNER'S ERROR! > > > For programs downloaded from the internet the "application > directory" is typically the user's "Downloads" directory; see > <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing- > and-directory-poisoning.html> > and <http://blog.acrossecurity.com/2012/02/downloads-folder- > binary-planting.html> > > > If one of the DLLs named above is placed in the users "Downloads" > directory (for example per "drive-by download") this vulnerability > becomes a remote code execution. > > JFTR: there is ABSOLUTELY no need for executable installers on > Windows! DUMP THIS CRAP! > > JFTR: naming a program "Setup.exe" is another beginner's error: > Windows' does some VERY special things when it encounters > this filename! > > > Mitigations: > ~~~~~~~~~~~~ > > * Don't use executable installers! NEVER! > Don't use self-extractors! NEVER! > > See <http://seclists.org/fulldisclosure/2015/Nov/101> and > <http://seclists.org/fulldisclosure/2015/Dec/86> plus > <http://home.arcor.de/skanthak/!execute.html> alias > <https://skanthak.homepage.t-online.de/!execute.html> for more > information. > > * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; > use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to > decode it to "deny execution of files in this directory for > everyone, inheritable to all files in all subdirectories". > > > stay tuned > Stefan Kanthak > > > Timeline: > ~~~~~~~~~ > > 2017-01-05 sent vulnerability report to author > > no reply, not even an acknowledgement of receipt > > 2017-01-13 resent vulnerability report to author > > no reply, not even an acknowledgement of receipt > > 2017-01-21 report published > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists