[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution



Can you elaborate a bit on what special treatment windows gives installeres
named setup.exe?

On 21 January 2017 at 20:37, Stefan Kanthak <stefan.kanthak AT nexgo.de> wrote:

> Hi @ll,
>
> the executable installers of "Pelle's C",
> <http://smorgasbordet.com/pellesc/800/setup64.exe> and,
> <http://smorgasbordet.com/pellesc/800/setup.exe>, available
> from <http://smorgasbordet.com/pellesc/index.htm>, are vulnerable
> to DLL hijacking: they load (tested on Windows 7) at least the
> following DLLs from their "application directory" instead Windows'
> "system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll,
> RichEd20.dll and CryptBase.dll
>
> See <https://cwe.mitre.org/data/definitions/426.html>,
> <https://cwe.mitre.org/data/definitions/427.html>
> <https://capec.mitre.org/data/definitions/471.html>,
> <https://technet.microsoft.com/en-us/library/2269637.aspx>,
> <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
> <https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this
> well-known and well-documented vulnerability^WBEGINNER'S ERROR!
>
>
> For programs downloaded from the internet the "application
> directory" is typically the user's "Downloads" directory; see
> <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-
> and-directory-poisoning.html>
> and <http://blog.acrossecurity.com/2012/02/downloads-folder-
> binary-planting.html>
>
>
> If one of the DLLs named above is placed in the users "Downloads"
> directory (for example per "drive-by download") this vulnerability
> becomes a remote code execution.
>
> JFTR: there is ABSOLUTELY no need for executable installers on
>       Windows! DUMP THIS CRAP!
>
> JFTR: naming a program "Setup.exe" is another beginner's error:
>       Windows' does some VERY special things when it encounters
>       this filename!
>
>
> Mitigations:
> ~~~~~~~~~~~~
>
> * Don't use executable installers! NEVER!
>   Don't use self-extractors! NEVER!
>
>   See <http://seclists.org/fulldisclosure/2015/Nov/101> and
>   <http://seclists.org/fulldisclosure/2015/Dec/86> plus
>   <http://home.arcor.de/skanthak/!execute.html> alias
>   <https://skanthak.homepage.t-online.de/!execute.html> for more
>   information.
>
> * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
>   use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
>   decode it to "deny execution of files in this directory for
>   everyone, inheritable to all files in all subdirectories".
>
>
> stay tuned
> Stefan Kanthak
>
>
> Timeline:
> ~~~~~~~~~
>
> 2017-01-05    sent vulnerability report to author
>
>               no reply, not even an acknowledgement of receipt
>
> 2017-01-13    resent vulnerability report to author
>
>               no reply, not even an acknowledgement of receipt
>
> 2017-01-21    report published
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/