| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AE1E632C8BAF49B4ACA5B07585A28C6D@W340>
Date: Fri, 7 Apr 2017 19:29:58 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Executable installers are vulnerable^WEVIL (case 49):
1Password-4.6.1.619.exe allows arbitrary code execution
Hi @ll,
1Password-4.6.1.619.exe, available from
<https://d13itkw33a7sus.cloudfront.net/dist/1P/win4/1Password-4.6.1.619.exe>
is vulnerable to DLL hijacking: it loads UXTheme.dll or DWMAPI.dll
from its "application directory" instead Windows
"system directory".
For downloaded applications like 1Password-4.6.1.619.exe the
"application directory" is Windows' "Downloads" folder.
See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
for more information.
See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this
well-known beginner's error.
If one of the DLLs named above is placed in the users "Downloads"
directory (for example per "drive-by download") this vulnerability
becomes a remote code execution.
JFTR: there is ABSOLUTELY no need for executable installers on
Windows! DUMP THIS CRAP!
Additionally the installer creates an unsafe temporary directory
"%TEMP%\is-*.tmp\" where it extracts some parts of itself and
executes them.
See <https://cwe.mitre.org/data/definitions/377.html>
and <https://cwe.mitre.org/data/definitions/379.html> for this
well-known beginner's error.
Mitigations:
~~~~~~~~~~~~
* Don't use executable installers! NEVER!
Don't use self-extractors! NEVER!
See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
information.
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
* Use SAFER alias Software Restriction Policies or AppLocker to
enforce W^X alias "write Xor execute" in the NTFS file system:
allow execution only below %SystemRoot% and %ProgramFiles% and
deny it everywhere else.
See <http://mechbgon.com/srp/index.html> or
<http://home.arcor.de/skanthak/SAFER.html> alias
<https://skanthak.homepage.t-online.de/SAFER.html> for more
information.
stay tuned (and far away from such crap)
Stefan Kanthak
Timeline:
~~~~~~~~~
2017-03-21 vulnerability report sent to vendor
2017-03-23 reply from vendor
"WON'T FIX: this does not attack 1Password data but
the target system itself, and is an issue with low
risk, an issue that has existing mitigations in place,
or is an accepted business risk for the customer."
2017-04-07 report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists