Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NMAP 7.12- DLL Hijacking Privilege Escalation.

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 18 Jul 2016 09:37:27 -0500
Nitesh,

Thanks for reporting this. The only executable that we offer for download
is the Nmap executable installer, which is built using NSIS. Back in
December 2015, NSIS fixed this problem with their installer builder so that
installers built with it would not be vulnerable to this type of attack.
They further refined the fix in NSIS 2.51, released in April 2016. Nmap
7.12 was released on March 29, so we got the primary fix, but there may be
some secondary fixes in the April NSIS release that we didn't have. The
next release will be built with NSIS 2.51, and should be completely secure
in this regard.

We would appreciate any direct feedback on how we can improve the security
of our installers.

Dan

On Sat, Jul 16, 2016 at 5:03 AM, Nitesh Shilpkar <shilpkar.nitesh () gmail com>
wrote:


NMAP setup for windows suffers from a DLL hijacking privilege escalation
vulnerability.

The "NMAP" loads and executes dll from its "application directory".

For software downloaded with a web browser the application directory is
typically the user's "Downloads" directory: see <
https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,<

http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html



and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art"
about
this well-known and well-documented vulnerability.


If an attacker places malicious DLL in the user's "Downloads" directory
(for example per "drive-by download" or "social engineering") this
vulnerability becomes a remote code execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Create a malicious dll file and save it to your "Downloads" directory
in a GUEST account.
2. Download the latest NMAP version 7.1.2.
3. Click on the Windows NMAP setup for windows..
4. UAC settings would ask for a password, as the victim supplies with the
password to run the setup.

5. A remote shell with Administrative privileges is opened.

Thanks and Regards,

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: