[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege

To: <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege
From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
Date: Tue, 23 Feb 2016 17:37:54 +0100

Hi @ll,

the executable installer gimp-2.8.16-setup-1.exe (and of course
older versions too) available from <http://www.gimp.org/downloads/>
loads and executes UXTheme.dll from its "application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art"
about this well-known and well-documented vulnerability.


If an attacker places UXtheme.dll in the users "Downloads"
directory (for example per drive-by download or social engineering)
this vulnerability becomes a remote code execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
   it as UXTheme.dll in your "Downloads" directory;

2. download gimp-2.8.16-setup-1.exe from <http://www.gimp.org/downloads/>
   and save it in your "Downloads" directory;

3. run gimp-2.8.16-setup-1.exe from the "Downloads" directory;

4. notice the message boxes displayed from UXTheme.dll placed in
   step 1.

PWNED!


See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/33> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!


Additionally the installer creates and uses an UNSAFE temporary
directory %TEMP%\is-<random>.temp\.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-01-29    sent vulnerability report

              NO REPLY, not even an acknowledgement of receipt

2016-02-11    resent vulnerability report

              NO REPLY, not even an acknowledgement of receipt

2016-02-23    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege
  - From: Jernej Simončič

Prev by Date: [FD] Various Linux Kernel USERNS Issues
Next by Date: Re: [FD] Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege
Previous by thread: [FD] Various Linux Kernel USERNS Issues
Next by thread: Re: [FD] Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege
Index(es):
- Date
- Thread