Full Disclosure mailing list archives
Re: Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Mon, 23 Jan 2017 23:28:35 +0100
"Ding Dong" <dingdongloop () gmail com> wrote: Please stop top posting and full quotes!
Can you elaborate a bit on what special treatment windows gives installeres named setup.exe?
Run "NTSD.exe setup.exe" and see which DLLs Windows loads, and how they are loaded. Rename setup.exe to something.exe, run "NTSD.exe something.exe" and compare the results. JFTR: NTSD.exe was shipped with Windows NT5.x; in newer versions you have to install the debugging tools. If you want to run without debugger: take a look at <http://home.arcor.de/skanthak/verifier.html> alias <https://skanthak.homepage.t-online.de/verifier.html> JFTR: <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> was referred in <http://seclists.org/bugtraq/2016/Jan/105> In short: setup.exe lets Windows load some app-compat shims. stay tuned Stefan
On 21 January 2017 at 20:37, Stefan Kanthak <stefan.kanthak () nexgo de> wrote:Hi @ll, the executable installers of "Pelle's C", <http://smorgasbordet.com/pellesc/800/setup64.exe> and, <http://smorgasbordet.com/pellesc/800/setup.exe>, available from <http://smorgasbordet.com/pellesc/index.htm>, are vulnerable to DLL hijacking: they load (tested on Windows 7) at least the following DLLs from their "application directory" instead Windows' "system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll, RichEd20.dll and CryptBase.dll
[snip]
JFTR: there is ABSOLUTELY no need for executable installers on Windows! DUMP THIS CRAP! JFTR: naming a program "Setup.exe" is another beginner's error: Windows' does some VERY special things when it encounters this filename!
[snip] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution Stefan Kanthak (Jan 22)
- Re: Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution Ding Dong (Jan 23)
- Re: Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution Stefan Kanthak (Jan 24)
- Re: Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution Ding Dong (Jan 23)