lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAB8+WF3XeX2Dm78V7itb-VK5xL1S1hvWYp3OoXbynib=OGNSVA@mail.gmail.com>
Date: Tue, 27 Jun 2017 23:30:39 +0000
From: Karn Ganeshen <karnganeshen@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [FD] Microsoft Office Patch Installer Executables - Insecure
 Library Loading Allows Code Execution

Microsoft Office Patch Installer Executables - Insecure Library Loading
Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading

Advisory URL:
https://ipositivesecurity.com/2017/06/15/microsoft-office-patch-installers-insecure-library-loading-allow-code-execution/

------------------------
ABOUT
------------------------

Microsoft Office Patch installer executables are found to be vulnerable to
DLL side loading / hijacking issue.

This issue was observed when installing a patch for Microsoft Excel 2013
SP1. Patch installer for Microsoft Word was also tested and confirmed to
exhibit the same behavior. Other patch installers may also be vulnerable.

When the patch installer is run, specific DLL file(s) are looked for in the
current directory, that is, the directory from where this patch installer
is run. If an attacker and / or a malicious user can place a crafted DLL
file(s) in the current directory from where this patch installer is run,
then it is possible to execute arbitrary code with the privileges of the
user (administrator installing Microsoft Excel / Word / other Office
applications).

This is also applicable where installer is run from a shared folder on
another system
(\\server\shared_folder\mso2013-kb3127968-fullfile-x86-glb.exe).

Note 1: these dlls are loaded by - mso2013-kb3127968-fullfile-x86-glb.exe -
before Microsoft Executable Installer - msiexec.exe - starts.

Note 2: In case of Microsoft Word patch update installation, in addition to
installer exe (word2013-kb3128004-fullfile-x86-glb.exe) looking for DLLs in
current directory, once msiexec.exe runs as part of the installation
process, it looks for & loads several DLLs (for example, netmsg.dll) from
directories in PATH env variable, leading to code execution if we can place
our malicious dll.

------------------------
Tested versions
------------------------
Verified on Windows 7 32-bit SP1 + MS Office 2013 SP1

+++++

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ