lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 31 Jan 2017 08:14:59 +0100
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Executable installers are vulnerable^WEVIL (case 47): Heimdal
	Security's SetupLauncher vulnerable to DLL hijacking

Hi @ll,

Heimdal.SetupLauncher.exe, available from
is (surprise.-) vulnerable to DLL hijacking: it loads (at least)
WINSPOOL.DRV from its "application directory" instead Windows
"system directory".

For downloaded applications like Heimdal.SetupLauncher.exe the
"application directory" is Windows' "Downloads" folder.

See <> and
<> plus
<> and
for more information.

On their web site <> Heimdal Security

| Online criminals hate us. We protect you from attacks that antivirus
| can't block.

The opposite is but true: every online criminal loves "security"
products because of such trivial to exploit vulnerabilities!

DLL hijacking is a 20 year old, well-known and well-documented
vulnerability, and a typical beginner's error: see
<> and
for more information.


* Don't use executable installers! NEVER!
  Don't use self-extractors! NEVER!

  See <> and
  <> plus
  <!execute.html> alias
  <!execute.html> for more

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".

* Use SAFER alias Software Restriction Policies or AppLocker to
  enforce W^X alias "write Xor execute" in the NTFS file system:
  allow execution only below %SystemRoot% and %ProgramFiles% and
  deny it everywhere else.

  See <> or
  <> alias
  <> for more

* Stay FAR away from so-called "security" products!

  See (for example)
  for more information.

stay tuned
Stefan Kanthak


2017-01-13    vulnerability report sent to vendor

              no reply, not even an acknowledgement of receipt

2017-01-21    vulnerability report resent to vendor

              no reply, not even an acknowledgement of receipt

2017-01-31    report published

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists