[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Executable installers are vulnerable^WEVIL (case 18): EMSISoft's installers allow arbitrary (remote) code execution and escalation of privilege



Hi @ll,

EmsisoftAntiMalwareSetup.exe as well as
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
EmsisoftHiJackFreeSetup.exe load and execute UXTheme.dll (plus
other DLLs like RichEd20.dll and RichEd32.dll) eventually found
in the directory they are started from (the "application directory").

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art"
about this well-known and well-documented vulnerability.


If one of the DLLs named above gets planted in the user's "Downloads"
directory per "drive-by download" or "social engineering" this
vulnerability becomes a remote code execution.


Due to the application manifest embedded in the executables which
specifies "requireAdministrator" or the installer detection of
Windows' user account control (under Windows XP the installers
request to be started with administrative privileges by themselves)
the installers are run with administrative privileges ("protected"
administrators are prompted for consent, unprivileged standard users
are prompted for an administrator password); execution of any
hijacked DLL results in an escalation of privilege!


See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details and why
executable installers (and self-extractors too) are bad and should be
dumped.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   RichEd20.dll and RichEd32.dll;

2. download EmsisoftAntiMalwareSetup.exe respectively
   EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
   EmsisoftHiJackFreeSetup.exe and save them in your "Downloads"
   directory;

3. execute EmsisoftAntiMalwareSetup.exe respectively
   EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and
   EmsisoftHiJackFreeSetup.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
   step 1.

PWNED!


Additionally the installers create unsafe temporary directories
%TEMP%\is-*.tmp to unpack their payload and execute it from there.

An unprivileged user can overwrite/modify these files between their
extraction and execution, or copy UXTheme.dll plus MSImg32.dll, on
Windows Vista and newer versions of Windows additionally Version.dll
into %TEMP%\is-*.tmp. These DLLs are loaded from the unpacked
%TEMP%\is-*.tmp\Emsisoft*.tmp too.

PWNED again.


stay tuned
Stefan Kanthak


PS: I really LOVE (security) software with such trivial beginner's
    errors. It's a tell-tale sign to stay away from such crapware!


Timeline:
~~~~~~~~~

2015-12-19    three reports sent to vendor

2015-12-21    vendor replies to one report:
              "we ignore your report since we don't offer
               EmsisoftHiJackFreeSetup.exe any more."

2015-12-21    OUCH!
              <http://download2.emsisoft.com/EmsisoftHiJackFreeSetup.exe>

              NO ANSWER, not even an acknowledgement of receipt
              for the other two reports

2015-12-29    reports resent to vendor

              NO ANSWER, not even an acknowledgement of receipt

2016-01-07    report published