Part2: Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege

> On 23. februar 2016, 17:37:54, Stefan Kanthak wrote:
>
>> Proof of concept/demonstration:
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>[snip]
>> PWNED!
>
> Can't reproduce - tested on Windows XP SP3, Windows 7 x64 SP1 and
> Windows 10 x64 (10586.104), and I tested not only with
> gimp-2.8.16-setup-1.exe, but also with gimp-2.8.14-setup-1.exe and
> gimp-2.8.10-setup.exe - none of them triggered anything from
> sentinel.dll/uxtheme.dll.

UXTheme.dll is loaded when "visual styles" and/or "themes" are
DISABLED (which is the case in my test systems), either via GUI, via

[HKEY_CURRENT_USER\Software\
Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="0"

or via stopping/disabling the "themes" service:

NET.EXE Stop Themes
SC.EXE Config Themes Start= Disabled

With "visual styles" and/or "themes" ENABLED DWMAPI.dll is loaded
instead of UXTheme.dll.

Additionally WindowsCodecs.dll is loaded if the caller is a
protected administrator, independent of the "visual styles" or
"themes" settings.

So "step 1" of the PoC needs to be modified as follows (the addition
is underlined) to cover these situations/preconditions:

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
   it as UXTheme.dll in your "Downloads" directory, then copy it
   as DWMAPI.dll and WindowsCodecs.dll there;     ~~~~~~~~~~~~~~
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> This is what I expected - the way Inno Setup works, the downloaded
> executable installer has a stub which extracts the real installer to a
> subdirectory of %TEMP%, and runs it from there; the stub's UI is
> limited to a simple MessageBox call in case the extraction fails - it
> does not link to uxtheme.dll at all.

This is plain wrong: InnoSetup extracts a stub (with the filename of
the executable, but the extension changed to .tmp) to an UNSAFE
subdirectory of %TEMP% and executes it from there.
gimp-2.8.16-setup-1.tmp is just 1.189.488 bytes small.

After the successful start of the extracted stub the downloaded .EXE
displays a dialog asking for the UI language.
DWMAPI.dll or UXTheme.dll is loaded by the downloaded .EXE before
this dialog is displayed.

Only if the extraction of this stub or its start fails then none of
these DLLs is loaded.


stay tuned
Stefan Kanthak


PS: you can blame InnoSetup (or Windows) for this behavior of your
    executable installer. This but doesn't fix this vulnerability,
    and it keeps all your users at risk.

    You need to have both the DLL hijacking AND the unsafe temporary
    subdirectory fixed.
    Your best way for this is: dump InnoSetup, create a .MSI instead!