HackDig : Dig high-quality web security articles for hacker

Executable installers are vulnerable^WEVIL (case 52): escalation of privilege with Microsoft's .NET Framework insta

2017-06-30 05:06
Hi @ll,

the executable installers for .NET Framework 4.7 (released about
2 months ago)

* NDP47-KB3186500-Web.exe,
Microsoft .NET Framework 4.7 (Web Installer) for Windows 7 SP1 etc.,
available from <https://www.microsoft.com/en-us/download/details.aspx?id=55170>,

* NDP47-KB3186497-x86-x64-AllOS-ENU.exe,
Microsoft .NET Framework 4.7 (Offline Installer) for Windows 7 SP1 etc.,
available from <https://www.microsoft.com/en-us/download/details.aspx?id=55167>,

* NDP47-KB3186497-x86-x64-AllOS-DEU.exe,
Microsoft .NET Framework 4.7 Sprachpaket (Offlineinstaller) für Windows 7 SP1 etc,
available from <https://www.microsoft.com/de-de/download/details.aspx?id=55169>,

* NDP47-DevPack-KB3186612-ENU.exe,
Microsoft .NET Framework 4.7 Developer Pack and Language Packs for Windows 7 SP1 etc.,
available from <https://www.microsoft.com/en-US/download/details.aspx?id=55168>,

are vulnerable: they allow arbitrary code execution via DLL hijacking,
resulting in escalation of privilege.

On a fully patched Windows 7 SP1 (which has a market share around 50%)
NDP47-KB3186500-Web.exe, NDP47-KB3186497-x86-x64-AllOS-ENU.exe and
ALL language packs NDP47-KB3186497-x86-x64-AllOS-???.exe load at
least the following DLLs from their application directory (typically
%USERPROFILE%Downloads) instead Windows' system directory
%SystemRoot%System32 and execute their DllMain() routine:
Cabinet.dll, Version.dll, CryptDll.dll, CryptSP.dll, NTMARTA.dll,
UXTheme.dll, DWMAPI.dll

NDP47-DevPack-KB3186612-ENU.exe loads least the following DLLs from its
application directory (typically %USERPROFILE%Downloads) instead
Windows' system directory %SystemRoot%System32 and executes their
DllMain() routine:
Cabinet.dll, MSI.dll, Version.dll, SPP.dll, VSSAPI.dll, ATL.dll,
VSSTrace.dll, NTMARTA.dll, UXTheme.dll, DWMAPI.dll, CryptSP.dll,

See <https://cwe.mitre.org/data/definitions/426.html>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this
well-known beginner's error.

See <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
for more information.

JFTR: it's a shame that these installers, built 2017-04-22, still
show this 20+ year old beginner's error!

For NDP47-KB3186500-Web.exe and NDP47-KB3186497-x86-x64-AllOS-???.exe
this results thanks to their embedded application manifest which
specifies "requireAdministrator" in escalation of privilege.

NDP47-DevPack-KB3186612-ENU.exe achieves the escalation of privilege
with a call of itself via "RunAs".

Proof of concept/demonstration:

1. download <https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it as UXTheme.dll in your "Downloads" directory;

2. copy the downloaded UXTheme.dll as Version.dll, Cabinet.dll etc.
(see the list of DLL names above);

3. download


and save them in your "Downloads" directory;

4. run the downloaded NDP47-*.exe and notice the message boxes displayed
from the DLLs: PWNED!

Mitigation & detection:

* NEVER run executable installers from your "Downloads" directory;

* dump/avoid executable installers, use *.MSI instead!

* stay FAR away from software written by sloppy coders who don't
know their target platform, and ignore their own companies

* see <https://support.microsoft.com/en-us/kb/2533623>,
<https://technet.microsoft.com/en-us/security/2269637> and

* also see <https://skanthak.homepage.t-online.de/verifier.html>
and <https://skanthak.homepage.t-online.de/!execute.html>

* dump .NET Framework alltogether!

stay tuned
Stefan Kanthak


2017-06-13 vulnerability report sent to vendor

2017-06-13 reply from vendor:
"MSRC case 39179 opened"

2017-06-21 reply from vendor:
"We have investigated the issue and determined it does not
warrant an explicit fix for down level products. [...]
Loading binaries from the application directory is a by
design functionality of the Windows library search order

2017-06-21 OUCH!
The "application directory" can be removed from the library
search path since Windows Vista and the update KB2533623!
See <https://msdn.microsoft.com/en-us/library/hh310515.aspx>
or <https://msdn.microsoft.com/en-us/library/ms684179.aspx>.
Which DLLs do the installers need or expect to load from
their "application directory"?

2017-06-28 no reply from vendor since 7 days, report published

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Source: 43/nuJ/7102/erusolcsidlluf/gro.stsilces

Read:138 | Comments:0 | Tags:No Tag

“Executable installers are vulnerable^WEVIL (case 52): escalation of privilege with Microsoft's .NET Framework insta”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud