[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Executable installers are vulnerable^WEVIL (case 14): Rapid7's ScanNowUPnP.exe allows arbitrary (remote) code execution
- To: <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Executable installers are vulnerable^WEVIL (case 14): Rapid7's ScanNowUPnP.exe allows arbitrary (remote) code execution
- From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
- Date: Tue, 22 Dec 2015 00:52:16 +0100
Hi @ll,
the executable installer [°]['] (rather: the 7-Zip based executable
self-extractor [²]) of Rapid7's (better known for their flagship
Metasploit) ScanNowUPnP.exe loads and executes several rogue/bogus
DLLs eventually found in the directory it is started from (the
"application directory"), commonly known as "DLL hijacking".
For software downloaded with a web browser the application directory
is typically the "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>
See the comprehensive write-up on Rapid7's community blog:
<https://community.rapid7.com/community/infosec/blog/2015/12/21/scannow-dll-search-order-hijacking-vulnerability-and-deprecation>
Especially note that Rapid7 removed the now deprecated ScanNowUPnP.exe
and advises all users to remove it from any system that still has it.
stay tuned
Stefan Kanthak
[°] <http://seclists.org/fulldisclosure/2015/Nov/101>
['] <http://seclists.org/bugtraq/2015/Dec/112>
[²] <http://seclists.org/bugtraq/2015/Dec/61>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/