the executable installers of "Pelle's C",
<http://smorgasbordet.com/
<http://smorgasbordet.com/
from <http://smorgasbordet.com/
to DLL hijacking: they load (tested on Windows 7) at least the
following DLLs from their "application directory" instead Windows'
"system directory": Version.dll, MSI.dll, UXTheme.dll, DWMAPI.dll,
RichEd20.dll and CryptBase.dll
See <https://cwe.mitre.org/data/
<https://cwe.mitre.org/data/
<https://capec.mitre.org/data/
<https://technet.microsoft.
<https://msdn.microsoft.com/
<https://msdn.microsoft.com/
well-known and well-documented vulnerability^WBEGINNER'S ERROR!
For programs downloaded from the internet the "application
directory" is typically the user's "Downloads" directory; see
<https://insights.sei.cmu.edu/
and <http://blog.acrossecurity.
If one of the DLLs named above is placed in the users "Downloads"
directory (for example per "drive-by download") this vulnerability
becomes a remote code execution.
JFTR: there is ABSOLUTELY no need for executable installers on
Windows! DUMP THIS CRAP!
JFTR: naming a program "Setup.exe" is another beginner's error:
Windows' does some VERY special things when it encounters
this filename!
Mitigations:
~~~~~~~~~~~~
* Don't use executable installers! NEVER!
Don't use self-extractors! NEVER!
See <http://seclists.org/
<http://seclists.org/
<http://home.arcor.de/
<https://skanthak.homepage.t-
information.
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2017-01-05 sent vulnerability report to author
no reply, not even an acknowledgement of receipt
2017-01-13 resent vulnerability report to author
no reply, not even an acknowledgement of receipt
2017-01-21 report published
Komentarų nėra:
Rašyti komentarą