lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 26 May 2017 17:51:23 +0200
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Executable installers are vulnerable^WEVIL (case 51):
	escalation of privilege with Microsoft's Azure Recovery
	Services Agent

Hi @ll,

MARSAgentInstaller.exe, the Microsoft Azure Recovery Services Agent,
available via
is vulnerable: it allows arbitrary code execution via DLL hijacking,
resulting in escalation of privilege on standard installations of

MARSAgentInstaller.exe version 2.0.9072.0, digitally signed 2017-04-05,
loads and executes (tested on a fully patched Windows 7 SP1) at least
the following DLLs from its application directory (typically
"%USERPROFILE%\Downloads\") instead Windows' system directory
"%SystemRoot%\System32\": Version.dll, CryptDll.dll, CryptSP.dll,
UXTheme.dll or DWMAPI.dll, Cabinet.dll

Thanks to the embedded application manifest which specifies
"requireAdministrator" this results in escalation of privilege on
standard installations of Windows!

See <>,
<> and
<> for this
well-known beginner's error.

See <>,
<> and
for more information.

Proof of concept/demonstration:

1. visit <>,
   and save it as Cabinet.dll in your "Downloads" directory, then
   copy it as Version.dll, CryptDLL.dll, CryptSP.dll, UXTheme.dll
   and DWMAPI.dll;

2. visit
   and save it in your "Downloads" directory;

3. execute MARSAgentInstaller.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in step 1:

Mitigation & detection:

* NEVER run executable installers from your "Downloads" directory;

* dump/avoid executable installers, use *.MSI instead!

* see <>,
  <> and

* also see <>
  and <!execute.html>

stay tuned
Stefan Kanthak


2017-05-18    vulnerability report sent to vendor

2017-05-18    reply from vendor:
              "As described in the Windows library search order process,
               loading binaries from the application directory is by design."

2017-05-18    OUCH!
              The "application directory" can be removed from the library
              search path since Windows Vista and KB2533623!
              See <>

2017-05-26    no reply from vendor since 7 days, report published

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists