"Jernej Simončič" <jernej|s...@eternallybored.org> wrote:
> On 23. februar 2016, 17:37:54, Stefan Kanthak wrote: > >> Proof of concept/demonstration: >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >[snip] >> PWNED! > > Can't reproduce - tested on Windows XP SP3, Windows 7 x64 SP1 and > Windows 10 x64 (10586.104), and I tested not only with > gimp-2.8.16-setup-1.exe, but also with gimp-2.8.14-setup-1.exe and > gimp-2.8.10-setup.exe - none of them triggered anything from > sentinel.dll/uxtheme.dll. UXTheme.dll is loaded when "visual styles" and/or "themes" are DISABLED (which is the case in my test systems), either via GUI, via [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager] "ThemeActive"="0" or via stopping/disabling the "themes" service: NET.EXE Stop Themes SC.EXE Config Themes Start= Disabled With "visual styles" and/or "themes" ENABLED DWMAPI.dll is loaded instead of UXTheme.dll. Additionally WindowsCodecs.dll is loaded if the caller is a protected administrator, independent of the "visual styles" or "themes" settings. So "step 1" of the PoC needs to be modified as follows (the addition is underlined) to cover these situations/preconditions: 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save it as UXTheme.dll in your "Downloads" directory, then copy it as DWMAPI.dll and WindowsCodecs.dll there; ~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This is what I expected - the way Inno Setup works, the downloaded > executable installer has a stub which extracts the real installer to a > subdirectory of %TEMP%, and runs it from there; the stub's UI is > limited to a simple MessageBox call in case the extraction fails - it > does not link to uxtheme.dll at all. This is plain wrong: InnoSetup extracts a stub (with the filename of the executable, but the extension changed to .tmp) to an UNSAFE subdirectory of %TEMP% and executes it from there. gimp-2.8.16-setup-1.tmp is just 1.189.488 bytes small. After the successful start of the extracted stub the downloaded .EXE displays a dialog asking for the UI language. DWMAPI.dll or UXTheme.dll is loaded by the downloaded .EXE before this dialog is displayed. Only if the extraction of this stub or its start fails then none of these DLLs is loaded. stay tuned Stefan Kanthak PS: you can blame InnoSetup (or Windows) for this behavior of your executable installer. This but doesn't fix this vulnerability, and it keeps all your users at risk. You need to have both the DLL hijacking AND the unsafe temporary subdirectory fixed. Your best way for this is: dump InnoSetup, create a .MSI instead!
