Hi @ll, the executable installers of SoftMaker's FlexiPDF, <http://www.softmaker.net/down/flexipdf2017.exe> and <http://www.softmaker.net/down/flexipdfbasic2017.exe>, built with the crapware known as "InnoSetup", are vulnerable to DLL hijacking: they load Windows DLLs from their "application directory" instead Windows' "system directory": on Windows 7 at least UXTheme.dll and DWMAPI.dll.
This well-known and well-documented vulnerability allows arbitrary code execution with the credentials of the current user. Additionally the executable installers create an unsafe directory "%TEMP%\is-*.tmp\" to extract an executable file "flexipdf2017.tmp" or "flexipdfbasic2017.tmp" which they execute with administrative privileges. Both "flexipdf2017.tmp" and "flexipdfbasic2017.tmp" load multiple Windows DLLs from their "application directory" "%TEMP%\is-*.tmp\": on Windows 7 at least MSImg32.dll, Version.dll, MPR.dll, UXTheme.dll, DWMAPI.dll "Thanks" to the unsafe and unprotected directory "%TEMP%\is-*.tmp\" an unprivileged attacker can place these DLLs there, resulting in arbitrary code execution WITH elevation of privilege. See <http://seclists.org/fulldisclosure/2015/Dec/33>, <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html> and <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> for more details. See <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> and <https://capec.mitre.org/data/definitions/471.html> plus <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> for these well-known and well-documented vulnerabilities. Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://home.arcor.de/skanthak/!execute.html> alias <https://skanthak.homepage.t-online.de/!execute.html> for more information. * Practice STRICT privilege separation: NEVER use the so-called "protected" administrator account(s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-12-29 sent vulnerability report to vendor and german CERT at the BSI No reply, not even an acknowledgement of receipt 2017-01-03 german CERT contacts vendor, offering support and asking for vendors security officer No reply from vendor 2017-01-05 resent vulnerability report to vendor No reply, not even an acknowledgement of receipt 2017-01-13 report published _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
