[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Executable installers are vulnerable^WEVIL (case 41): EmsiSoft's Emergency Kit allows elevation of privilege for everybody



Hi @ll,

in response to <http://seclists.org/fulldisclosure/2016/Jan/24>
EmsiSoft fixed some of the DLL hijacking vulnerabilities in some
of their executable installers and unpackers.

EmsisoftEmergencyKit.exe still has beginner's errors which allow
escalation of privilege for EVERY local user:

0. while the self-extracting WinRAR archive EmsisoftEmergencyKit.exe
   doesn't load DLLs from its "application directory" any more, its
   payload but shows this vulnerability!

1. due to "requireAdministrator" in its application manifest the
   self-extractor runs with administrative rights, although it
   neither needs them nor uses them.

2. it creates the directory "%SystemDrive%\EEK" and unpacks its
   payload into it.

   JFTR: since it runs with administrative rights the self-
         extractor could create "%SystemDrive%\EEK" with an ACL
         that only allows write-access for administrators, or
         use "%ProgramFiles%\EmsiSoft\Emergency Kit" instead.

   This directory inherits the ACL of its parent, %SystemDrive%,
   which allows write access for unprivileged users; they can thus
   modify all files extracted there or add files, for example a
   "%SystemDrive%\EEK\Version.dll".

   Also give NetAPI32.dll, NetUtils.dll, SrvCli.dll, WksCli.dll,
   PropSys.dll, AppHelp.dll, NTMarta.dll, Secur32.dll, MPR.dll and
   CSCAPI.dll a try.

3. the programs "%SystemDrive%\EEK\Start Commandline Scanner.exe"
   and "%SystemDrive%\EEK\Start Emergency Kit Scanner.exe" have
   "requireAdministrator" in their application manifests too: they
   load and execute the DLLs named above from "%SystemDrive%\EEK"
   with administrative rights.

4. the other programs extracted to "%SystemDrive%\EEK\bin32" and
   "%SystemDrive%\EEK\bin64" and are also run with administrative
   rights.

5. of course the programs in "%SystemDrive%\EEK\bin32" and
   "%SystemDrive%\EEK\bin64" load and execute DLLs from their
   "application directory" (which is writable for everyone) too.

And one more:

6. the OpenSSL libraries shipped are from version 1.0.2d and have
   multiple vulnerabilities which have beed fixed in version 1.0.2j.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-08-29    vulnerability report sent to vendor

2016-08-29    vendor acknowledges vulnerability, promises to update
              at least the OpenSSL libraries, and ask the author of
              WinRAR to add a directive to protect the created EEK
              directory

2016-11-17    vendor fixed NOTHING in the past ELEVEN weeks, and
              does not react any more -> report published