[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Executable installers are vulnerable^WEVIL (case 44): SoftMaker's FlexiPDF installers allow escalation of privilege



Hi @ll,

the executable installers of SoftMaker's FlexiPDF,
<http://www.softmaker.net/down/flexipdf2017.exe> and
<http://www.softmaker.net/down/flexipdfbasic2017.exe>, built
with the crapware known as "InnoSetup", are vulnerable to DLL
hijacking: they load Windows DLLs from their "application
directory" instead Windows' "system directory": on Windows 7
at least UXTheme.dll and DWMAPI.dll.

This well-known and well-documented vulnerability allows
arbitrary code execution with the credentials of the current user.

Additionally the executable installers create an unsafe directory
"%TEMP%\is-*.tmp\" to extract an executable file "flexipdf2017.tmp"
or "flexipdfbasic2017.tmp" which they execute with administrative
privileges.

Both "flexipdf2017.tmp" and "flexipdfbasic2017.tmp" load multiple
Windows DLLs from their "application directory" "%TEMP%\is-*.tmp\":
on Windows 7 at least MSImg32.dll, Version.dll, MPR.dll, UXTheme.dll,
DWMAPI.dll

"Thanks" to the unsafe and unprotected directory "%TEMP%\is-*.tmp\"
an unprivileged attacker can place these DLLs there, resulting in
arbitrary code execution WITH elevation of privilege.

See <http://seclists.org/fulldisclosure/2015/Dec/33>,
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>
and <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
for more details.

See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html> and
<https://capec.mitre.org/data/definitions/471.html> plus
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> for these
well-known and well-documented vulnerabilities.


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!
  Don't use self-extractors! NEVER!

  See <http://seclists.org/fulldisclosure/2015/Nov/101> and
  <http://seclists.org/fulldisclosure/2015/Dec/86> plus
  <http://home.arcor.de/skanthak/!execute.html> alias
  <https://skanthak.homepage.t-online.de/!execute.html> for more
  information.

* Practice STRICT privilege separation: NEVER use the so-called
  "protected" administrator account(s) created during Windows
  setup which use the same "%TEMP%" for unprivileged and privileged
  processes!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-12-29    sent vulnerability report to vendor and german CERT
              at the BSI

              No reply, not even an acknowledgement of receipt

2017-01-03    german CERT contacts vendor, offering support and
              asking for vendors security officer

              No reply from vendor

2017-01-05    resent vulnerability report to vendor

              No reply, not even an acknowledgement of receipt

2017-01-13    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/