lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <F52768EBF8764975B8C1990145EC02C7@W340>
Date: Mon, 23 Jan 2017 23:28:35 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "Ding Dong" <dingdongloop@...il.com>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] Executable installers are vulnerable^WEVIL (case 46):
	Pelles C allows arbitrary code execution

"Ding Dong" <dingdongloop@...il.com> wrote:

Please stop top posting and full quotes!

> Can you elaborate a bit on what special treatment windows gives installeres
> named setup.exe?

Run "NTSD.exe setup.exe" and see which DLLs Windows loads, and how
they are loaded.
Rename setup.exe to something.exe, run "NTSD.exe something.exe" and
compare the results.

JFTR: NTSD.exe was shipped with Windows NT5.x; in newer versions you
      have to install the debugging tools.

If you want to run without debugger: take a look at
<http://home.arcor.de/skanthak/verifier.html> alias
<https://skanthak.homepage.t-online.de/verifier.html>

JFTR: <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
      was referred in <http://seclists.org/bugtraq/2016/Jan/105>

In short: setup.exe lets Windows load some app-compat shims.

stay tuned
Stefan

> On 21 January 2017 at 20:37, Stefan Kanthak <stefan.kanthak@...go.de> wrote:
> 
>> Hi @ll,
>>
>> the executable installers of "Pelle's C",
>> <http://smorgasbordet.com/pellesc/800/setup64.exe> and,
>> <http://smorgasbordet.com/pellesc/800/setup.exe>, available
>> from <http://smorgasbordet.com/pellesc/index.htm>, are vulnerable
>> to DLL hijacking: they load (tested on Windows 7) at least the
>> following DLLs from their "application directory" instead Windows'
>> "system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll,
>> RichEd20.dll and CryptBase.dll

[snip]

>> JFTR: there is ABSOLUTELY no need for executable installers on
>>       Windows! DUMP THIS CRAP!
>>
>> JFTR: naming a program "Setup.exe" is another beginner's error:
>>       Windows' does some VERY special things when it encounters
>>       this filename!

[snip]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists