Full Disclosure mailing list archives

By Date By Thread Executable installers/self-extractors are vulnerable^WEVIL (case 17): Kaspersky Labs utilities From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Sun, 3 Jan 2016 16:12:50 +0100

Hi @ll, quite some utilities offered for free by Kaspersky Lab load and execute rogue/bogus DLLs (UXTheme.dll, HNetCfg.dll, RichEd20.dll, RASAdHlp.dll, SetupAPI.dll, ClbCatQ.dll, XPSP2Res.dll, CryptNet.dll, OLEAcc.dll etc.) eventually found in the directory they are started from (the "application directory"). For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If one of the DLLs named above gets planted in the user's "Downloads" directory per "drive-by download" or "social engineering" this vulnerability becomes a remote code execution. Due to the application manifest embedded in some of the executables which specifies "requireAdministrator" or the installer detection of Windows' user account control theses installers/self-extractors are started with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of any hijacked DLL results in an escalation of privilege! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://home.arcor.de/skanthak/sentinel.html> and the still unfinished <http://home.arcor.de/skanthak/!execute.html> for more details and why executable installers (and self-extractors too) are bad and should be dumped. Kaspersky Lab published a security advisory 2015-12-23 <https://support.kaspersky.com/vulnerability.aspx?el=12430#231215> after they made updated versions of their utilities available on <https://support.kaspersky.com/viruses/utility> stay tuned Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Executable installers/self-extractors are vulnerable^WEVIL (case 17): Kaspersky Labs utilities Stefan Kanthak (Jan 05)