BugTraq
Executable installers are vulnerable^WEVIL (case 41): EmsiSoft's Emergency Kit allows elevation of privilege for everybody Nov 17 2016 04:46PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

in response to <http://seclists.org/fulldisclosure/2016/Jan/24>
EmsiSoft fixed some of the DLL hijacking vulnerabilities in some
of their executable installers and unpackers.

EmsisoftEmergencyKit.exe still has beginner's errors which allow
escalation of privilege for EVERY local user:

0. while the self-extracting WinRAR archive EmsisoftEmergencyKit.exe
doesn't load DLLs from its "application directory" any more, its
payload but shows this vulnerability!

1. due to "requireAdministrator" in its application manifest the
self-extractor runs with administrative rights, although it
neither needs them nor uses them.

2. it creates the directory "%SystemDrive%\EEK" and unpacks its
payload into it.

JFTR: since it runs with administrative rights the self-
extractor could create "%SystemDrive%\EEK" with an ACL
that only allows write-access for administrators, or
use "%ProgramFiles%\EmsiSoft\Emergency Kit" instead.

This directory inherits the ACL of its parent, %SystemDrive%,
which allows write access for unprivileged users; they can thus
modify all files extracted there or add files, for example a
"%SystemDrive%\EEK\Version.dll".

Also give NetAPI32.dll, NetUtils.dll, SrvCli.dll, WksCli.dll,
PropSys.dll, AppHelp.dll, NTMarta.dll, Secur32.dll, MPR.dll and
CSCAPI.dll a try.

3. the programs "%SystemDrive%\EEK\Start Commandline Scanner.exe"
and "%SystemDrive%\EEK\Start Emergency Kit Scanner.exe" have
"requireAdministrator" in their application manifests too: they
load and execute the DLLs named above from "%SystemDrive%\EEK"
with administrative rights.

4. the other programs extracted to "%SystemDrive%\EEK\bin32" and
"%SystemDrive%\EEK\bin64" and are also run with administrative
rights.

5. of course the programs in "%SystemDrive%\EEK\bin32" and
"%SystemDrive%\EEK\bin64" load and execute DLLs from their
"application directory" (which is writable for everyone) too.

And one more:

6. the OpenSSL libraries shipped are from version 1.0.2d and have
multiple vulnerabilities which have beed fixed in version 1.0.2j.

stay tuned
Stefan Kanthak

Timeline:
~~~~~~~~~

2016-08-29 vulnerability report sent to vendor

2016-08-29 vendor acknowledges vulnerability, promises to update
at least the OpenSSL libraries, and ask the author of
WinRAR to add a directive to protect the created EEK
directory

2016-11-17 vendor fixed NOTHING in the past ELEVEN weeks, and
does not react any more -> report published

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus