BugTraq
Executable installers are vulnerable^WEVIL (case 18): EMSISoft's installers allow arbitrary (remote) code execution and escalation of privilege Jan 07 2016 10:06AM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

EmsisoftAntiMalwareSetup.exe as well as
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
EmsisoftHiJackFreeSetup.exe load and execute UXTheme.dll (plus
other DLLs like RichEd20.dll and RichEd32.dll) eventually found
in the directory they are started from (the "application directory").

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-
poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.
html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art"
about this well-known and well-documented vulnerability.

If one of the DLLs named above gets planted in the user's "Downloads"
directory per "drive-by download" or "social engineering" this
vulnerability becomes a remote code execution.

Due to the application manifest embedded in the executables which
specifies "requireAdministrator" or the installer detection of
Windows' user account control (under Windows XP the installers
request to be started with administrative privileges by themselves)
the installers are run with administrative privileges ("protected"
administrators are prompted for consent, unprivileged standard users
are prompted for an administrator password); execution of any
hijacked DLL results in an escalation of privilege!

See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details and why
executable installers (and self-extractors too) are bad and should be
dumped.

Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
as UXTheme.dll in your "Downloads" directory, then copy it as
RichEd20.dll and RichEd32.dll;

2. download EmsisoftAntiMalwareSetup.exe respectively
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
EmsisoftHiJackFreeSetup.exe and save them in your "Downloads"
directory;

3. execute EmsisoftAntiMalwareSetup.exe respectively
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
EmsisoftHiJackFreeSetup.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
step 1.

PWNED!

Additionally the installers create unsafe temporary directories
%TEMP%\is-*.tmp to unpack their payload and execute it from there.

An unprivileged user can overwrite/modify these files between their
extraction and execution, or copy UXTheme.dll plus MSImg32.dll, on
Windows Vista and newer versions of Windows additionally Version.dll
into %TEMP%\is-*.tmp. These DLLs are loaded from the unpacked
%TEMP%\is-*.tmp\Emsisoft*.tmp too.

PWNED again.

stay tuned
Stefan Kanthak

PS: I really LOVE (security) software with such trivial beginner's
errors. It's a tell-tale sign to stay away from such crapware!

Timeline:
~~~~~~~~~

2015-12-19 three reports sent to vendor

2015-12-21 vendor replies to one report:
"we ignore your report since we don't offer
EmsisoftHiJackFreeSetup.exe any more."

2015-12-21 OUCH!
<http://download2.emsisoft.com/EmsisoftHiJackFreeSetup.exe>

NO ANSWER, not even an acknowledgement of receipt
for the other two reports

2015-12-29 reports resent to vendor

NO ANSWER, not even an acknowledgement of receipt

2016-01-07 report published

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus