lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <E9D849F611E7460DA283BC6CC280DE8B@W340> Date: Tue, 31 Jan 2017 08:14:59 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com> Cc: fulldisclosure@...lists.org Subject: [FD] Executable installers are vulnerable^WEVIL (case 47): Heimdal Security's SetupLauncher vulnerable to DLL hijacking Hi @ll, Heimdal.SetupLauncher.exe, available from <https://heimdalprodstorage.blob.core.windows.net/setup/Heimdal.SetupLauncher.exe> is (surprise.-) vulnerable to DLL hijacking: it loads (at least) WINSPOOL.DRV from its "application directory" instead Windows "system directory". For downloaded applications like Heimdal.SetupLauncher.exe the "application directory" is Windows' "Downloads" folder. See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>, <http://seclists.org/fulldisclosure/2012/Aug/134> and <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> for more information. On their web site <https://heimdalsecurity.com/en/> Heimdal Security brags^Wlies: | Online criminals hate us. We protect you from attacks that antivirus | can't block. The opposite is but true: every online criminal loves "security" products because of such trivial to exploit vulnerabilities! DLL hijacking is a 20 year old, well-known and well-documented vulnerability, and a typical beginner's error: see <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> <https://capec.mitre.org/data/definitions/471.html>, <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx>. for more information. Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://home.arcor.de/skanthak/!execute.html> alias <https://skanthak.homepage.t-online.de/!execute.html> for more information. * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". * Use SAFER alias Software Restriction Policies or AppLocker to enforce W^X alias "write Xor execute" in the NTFS file system: allow execution only below %SystemRoot% and %ProgramFiles% and deny it everywhere else. See <http://mechbgon.com/srp/index.html> or <http://home.arcor.de/skanthak/SAFER.html> alias <https://skanthak.homepage.t-online.de/SAFER.html> for more information. * Stay FAR away from so-called "security" products! See (for example) <http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html> and <https://medium.com/@justin.schuh/stop-buying-bad-security-prescriptions-f18e4f61ba9e#.f07b2xdow> for more information. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2017-01-13 vulnerability report sent to vendor no reply, not even an acknowledgement of receipt 2017-01-21 vulnerability report resent to vendor no reply, not even an acknowledgement of receipt 2017-01-31 report published _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists