[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Executable installers are vulnerable^WEVIL (case 43): SoftMaker's Office service pack installers allow escalation of privilege
- To: <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [FD] Executable installers are vulnerable^WEVIL (case 43): SoftMaker's Office service pack installers allow escalation of privilege
- From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
- Date: Sat, 31 Dec 2016 13:16:30 +0100
Hi @ll,
the service pack installers for SoftMaker Office 201x, available
from <http://www.softmaker.com/en/servicepacks-office-windows>,
are (surprise.-) vulnerable.
The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH),
creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract
its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe".
"%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent
"%TEMP%\", i.e. allows full access for the UNPRIVILEGED user.
For this well-known vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
Due to the embedded application manifest which specifies
"requireAdministrator" the executable installer can only be run
with administrative rights.
JFTR: if written properly, it would create a PROTECTED directory
"%TEMP%\7zSxxxxxxxx\", writable only for privileged users!
The UNPRIVILEGED user as well as any program running with the
users credentials can modify the extracted files, for example
"%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with
administrative rights, resulting in arbitrary code execution
with elevation of privilege.
Additionally "spsetup.exe" is vulnerable to DLL hijacking,
another well-known vulnerability.
See <https://capec.mitre.org/data/definitions/471.html>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the
unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which
are loaded by "spsetup.exe", again resulting in arbitrary code
execution with elevation of privilege!
0. download <http://www.softmaker.net/down/ofw16_763.exe> and
save it in an arbitrary directory;
1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
(see <http://home.arcor.de/skanthak/sentinel.html> alias
<https://skanthak.homepage.t-online.de/sentinel.html>) and
save it in an(other) arbitrary directory;
2. save the following batch script in same the directory as
--- OFW16_873.CMD ---
@If Not Exist "%TEMP%\7z*" Goto :WAIT
For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%!
--- EOF ---
3. start the batch script;
4. execute ofw16_873.exe and notice the message boxes displayed
5. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
to the same directory as the batch script;
6. in the batch script replace the 3 lines Copy ... with
Copy "SENTINEL.EXE" "%foobar%\spsetup.exe"
7. start the batch script;
8. execute ofw16_873.exe and notice the message box displayed
* Don't use executable installers! NEVER!
Don't use self-extractors! NEVER!
See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
* Practice STRICT privilege separation: NEVER use the so-called
"protected" administrator account(s) created during Windows
setup which use the same "%TEMP%" for unprivileged and privileged
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
2016-12-15 sent vulnerability report to vendor
no reply, not even an acknowledegement of receipt
2016-12-23 resent vulnerability report to vendor, cc CERT at
german BSI
no reply, not even an acknowledegement of receipt
2016-12-27 CERT at german BSI contacts vendor offering help
no reply, not even an acknowledegement of receipt
2016-12-31 report published
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/