Full Disclosure mailing list archives

By Date By Thread Executable installers are vulnerable^WEVIL (case 18): EMSISoft's installers allow arbitrary (remote) code execution and escalation of privilege From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Thu, 7 Jan 2016 11:06:43 +0100

Hi @ll, EmsisoftAntiMalwareSetup.exe as well as EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and EmsisoftHiJackFreeSetup.exe load and execute UXTheme.dll (plus other DLLs like RichEd20.dll and RichEd32.dll) eventually found in the directory they are started from (the "application directory"). For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If one of the DLLs named above gets planted in the user's "Downloads" directory per "drive-by download" or "social engineering" this vulnerability becomes a remote code execution. Due to the application manifest embedded in the executables which specifies "requireAdministrator" or the installer detection of Windows' user account control (under Windows XP the installers request to be started with administrative privileges by themselves) the installers are run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of any hijacked DLL results in an escalation of privilege! See <http://seclists.org/fulldisclosure/2015/Nov/101>, <http://seclists.org/fulldisclosure/2015/Dec/86> and <http://seclists.org/fulldisclosure/2015/Dec/121> plus <http://home.arcor.de/skanthak/sentinel.html> and the still unfinished <http://home.arcor.de/skanthak/!execute.html> for more details and why executable installers (and self-extractors too) are bad and should be dumped. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it as UXTheme.dll in your "Downloads" directory, then copy it as RichEd20.dll and RichEd32.dll; 2. download EmsisoftAntiMalwareSetup.exe respectively EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and EmsisoftHiJackFreeSetup.exe and save them in your "Downloads" directory; 3. execute EmsisoftAntiMalwareSetup.exe respectively EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and EmsisoftHiJackFreeSetup.exe from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. PWNED! Additionally the installers create unsafe temporary directories %TEMP%\is-*.tmp to unpack their payload and execute it from there. An unprivileged user can overwrite/modify these files between their extraction and execution, or copy UXTheme.dll plus MSImg32.dll, on Windows Vista and newer versions of Windows additionally Version.dll into %TEMP%\is-*.tmp. These DLLs are loaded from the unpacked %TEMP%\is-*.tmp\Emsisoft*.tmp too. PWNED again. stay tuned Stefan Kanthak PS: I really LOVE (security) software with such trivial beginner's errors. It's a tell-tale sign to stay away from such crapware! Timeline: ~~~~~~~~~ 2015-12-19 three reports sent to vendor 2015-12-21 vendor replies to one report: "we ignore your report since we don't offer EmsisoftHiJackFreeSetup.exe any more." 2015-12-21 OUCH! <http://download2.emsisoft.com/EmsisoftHiJackFreeSetup.exe> NO ANSWER, not even an acknowledgement of receipt for the other two reports 2015-12-29 reports resent to vendor NO ANSWER, not even an acknowledgement of receipt 2016-01-07 report published _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Executable installers are vulnerable^WEVIL (case 18): EMSISoft's installers allow arbitrary (remote) code execution and escalation of privilege Stefan Kanthak (Jan 08)