[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution



"Ding Dong" <dingdongloop AT gmail.com> wrote:

Please stop top posting and full quotes!

> Can you elaborate a bit on what special treatment windows gives installeres
> named setup.exe?

Run "NTSD.exe setup.exe" and see which DLLs Windows loads, and how
they are loaded.
Rename setup.exe to something.exe, run "NTSD.exe something.exe" and
compare the results.

JFTR: NTSD.exe was shipped with Windows NT5.x; in newer versions you
      have to install the debugging tools.

If you want to run without debugger: take a look at
<http://home.arcor.de/skanthak/verifier.html> alias
<https://skanthak.homepage.t-online.de/verifier.html>

JFTR: <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
      was referred in <http://seclists.org/bugtraq/2016/Jan/105>

In short: setup.exe lets Windows load some app-compat shims.

stay tuned
Stefan

> On 21 January 2017 at 20:37, Stefan Kanthak <stefan.kanthak AT nexgo.de> wrote:
> 
>> Hi @ll,
>>
>> the executable installers of "Pelle's C",
>> <http://smorgasbordet.com/pellesc/800/setup64.exe> and,
>> <http://smorgasbordet.com/pellesc/800/setup.exe>, available
>> from <http://smorgasbordet.com/pellesc/index.htm>, are vulnerable
>> to DLL hijacking: they load (tested on Windows 7) at least the
>> following DLLs from their "application directory" instead Windows'
>> "system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll,
>> RichEd20.dll and CryptBase.dll

[snip]

>> JFTR: there is ABSOLUTELY no need for executable installers on
>>       Windows! DUMP THIS CRAP!
>>
>> JFTR: naming a program "Setup.exe" is another beginner's error:
>>       Windows' does some VERY special things when it encounters
>>       this filename!

[snip]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/