Nmap Development mailing list archives
Re: NMAP 7.12- DLL Hijacking Privilege Escalation.
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 18 Jul 2016 09:37:27 -0500
Nitesh, Thanks for reporting this. The only executable that we offer for download is the Nmap executable installer, which is built using NSIS. Back in December 2015, NSIS fixed this problem with their installer builder so that installers built with it would not be vulnerable to this type of attack. They further refined the fix in NSIS 2.51, released in April 2016. Nmap 7.12 was released on March 29, so we got the primary fix, but there may be some secondary fixes in the April NSIS release that we didn't have. The next release will be built with NSIS 2.51, and should be completely secure in this regard. We would appreciate any direct feedback on how we can improve the security of our installers. Dan On Sat, Jul 16, 2016 at 5:03 AM, Nitesh Shilpkar <shilpkar.nitesh () gmail com> wrote:
NMAP setup for windows suffers from a DLL hijacking privilege escalation vulnerability. The "NMAP" loads and executes dll from its "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see < https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,< http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.htmland <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If an attacker places malicious DLL in the user's "Downloads" directory (for example per "drive-by download" or "social engineering") this vulnerability becomes a remote code execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Create a malicious dll file and save it to your "Downloads" directory in a GUEST account. 2. Download the latest NMAP version 7.1.2. 3. Click on the Windows NMAP setup for windows.. 4. UAC settings would ask for a password, as the victim supplies with the password to run the setup. 5. A remote shell with Administrative privileges is opened. Thanks and Regards, _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NMAP 7.12- DLL Hijacking Privilege Escalation. Nitesh Shilpkar (Jul 17)
- Re: NMAP 7.12- DLL Hijacking Privilege Escalation. Daniel Miller (Jul 18)