[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution
"Ding Dong" <dingdongloop AT gmail.com> wrote:
Please stop top posting and full quotes!
> Can you elaborate a bit on what special treatment windows gives installeres
> named setup.exe?
Run "NTSD.exe setup.exe" and see which DLLs Windows loads, and how
they are loaded.
Rename setup.exe to something.exe, run "NTSD.exe something.exe" and
compare the results.
JFTR: NTSD.exe was shipped with Windows NT5.x; in newer versions you
have to install the debugging tools.
If you want to run without debugger: take a look at
was referred in <http://seclists.org/bugtraq/2016/Jan/105>
In short: setup.exe lets Windows load some app-compat shims.
> On 21 January 2017 at 20:37, Stefan Kanthak <stefan.kanthak AT nexgo.de> wrote:
>> Hi @ll,
>> the executable installers of "Pelle's C",
>> <http://smorgasbordet.com/pellesc/800/setup64.exe> and,
>> <http://smorgasbordet.com/pellesc/800/setup.exe>, available
>> from <http://smorgasbordet.com/pellesc/index.htm>, are vulnerable
>> to DLL hijacking: they load (tested on Windows 7) at least the
>> following DLLs from their "application directory" instead Windows'
>> "system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll,
>> RichEd20.dll and CryptBase.dll
>> JFTR: there is ABSOLUTELY no need for executable installers on
>> Windows! DUMP THIS CRAP!
>> JFTR: naming a program "Setup.exe" is another beginner's error:
>> Windows' does some VERY special things when it encounters
>> this filename!
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/