Full Disclosure mailing list archives
Re: Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution
From: Ding Dong <dingdongloop () gmail com>
Date: Mon, 23 Jan 2017 08:53:55 +0100
Can you elaborate a bit on what special treatment windows gives installeres named setup.exe? On 21 January 2017 at 20:37, Stefan Kanthak <stefan.kanthak () nexgo de> wrote:
Hi @ll, the executable installers of "Pelle's C", <http://smorgasbordet.com/pellesc/800/setup64.exe> and, <http://smorgasbordet.com/pellesc/800/setup.exe>, available from <http://smorgasbordet.com/pellesc/index.htm>, are vulnerable to DLL hijacking: they load (tested on Windows 7) at least the following DLLs from their "application directory" instead Windows' "system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll, RichEd20.dll and CryptBase.dll See <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> <https://capec.mitre.org/data/definitions/471.html>, <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this well-known and well-documented vulnerability^WBEGINNER'S ERROR! For programs downloaded from the internet the "application directory" is typically the user's "Downloads" directory; see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing- and-directory-poisoning.html> and <http://blog.acrossecurity.com/2012/02/downloads-folder- binary-planting.html> If one of the DLLs named above is placed in the users "Downloads" directory (for example per "drive-by download") this vulnerability becomes a remote code execution. JFTR: there is ABSOLUTELY no need for executable installers on Windows! DUMP THIS CRAP! JFTR: naming a program "Setup.exe" is another beginner's error: Windows' does some VERY special things when it encounters this filename! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://home.arcor.de/skanthak/!execute.html> alias <https://skanthak.homepage.t-online.de/!execute.html> for more information. * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2017-01-05 sent vulnerability report to author no reply, not even an acknowledgement of receipt 2017-01-13 resent vulnerability report to author no reply, not even an acknowledgement of receipt 2017-01-21 report published _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution Stefan Kanthak (Jan 22)
- Re: Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution Ding Dong (Jan 23)