TinyPDF Installer DLL Hijacking / Unsafe Temp Directory
Posted on 04 January 2017
Hi @ll, the executable installer "InstallTinyPDF.exe", available from <http://tinypdf.com/downloads.html>, is (surprise.-) vulnerable: 1. DLL hijacking (this is well-known and well-documented; see <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> <https://capec.mitre.org/data/definitions/471.html>, <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx>) "InstallTinyPDF.exe" loads and executes UXTheme.dll and/or DWMAPI.dll from its "application directory" instead Windows' "system directory", resulting in arbitrary code execution". The "application directory" is typically the user's "Downloads" directory; see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html> and <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> If UXTheme.dll or DWMAPI.dll get planted for example per "drive-by download" in the users "Downloads" directory this vulnerability becomes a remote code execution. 2. Unsafe TEMP directory (this is well-known and well-documented; see <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html>) "InstallTinyPDF.exe" creates a temporary (sub)directory "%TEMP%is-<random>.tmp" into which it extracts embedded DLLs (_ShFolder.dll [*], ...) and an embedded subinstaller (is-*.tmp) which it executes then ELEVATED, i.e. with administrative privileges. Since the temporary (sub)directory is unprotected (it inherits the NTFS ACL from its parent "%TEMP%") the extracted executables can be overwritten the between their creation and execution by the unprivileged user, resulting in arbitryry code execution with escalation of privilege. Additionally (really: of course) "%TEMP%is-<random>.tmpis*-tmp" is vulnerable to DLL hijacking too: it loads UXTheme.dll and/or DWMAPI.dll and some more DLLs from its "application directory" "%TEMP%is-<random>.tmp", which can be placed there by the unprivileged user, again resulting in arbitrary code execution with elevation of privilege. JFTR: InstallTinyPDF.exe is built using the crapware InnoSetup! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://home.arcor.de/skanthak/!execute.html> alias <https://skanthak.homepage.t-online.de/!execute.html> for more information. * Practice STRICT privilege separation: NEVER use the so-called "protected" administrator account(s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". Fix: ~~~~ Write a windows-conformant .INF to install the printer driver (see <http://home.arcor.de/skanthak/download/TINYPDF.INF>), then use MakeCAT.exe to create a .CAT and SignTool.exe to sign it. See <https://msdn.microsoft.com/en-us/library/aa386967.aspx> and <https://msdn.microsoft.com/en-us/library/aa387764.aspx> plus <https://msdn.microsoft.com/en-us/library/ff551778.aspx> for the description of these development tools. With this TINYPDF.INF the printer driver can be installed via "Add Printer" as well as the following command lines: * "%SystemRoot%System32RunDLL32.exe" "%SystemRoot%System32PrintUI.dll",PrintUIEntry /if /f "<path>TINYPDF.INF" /m TinyPDF /r LPT3: (see <https://technet.microsoft.com/en-us/library/ee624057.aspx>) * DISM.exe /Image:<path> /Add-Driver /Driver:"<path>TINYPDF.INF" ... (see <https://technet.microsoft.com/en-us/library/dd744355.aspx>) * DPInst.exe ... which I but DON'T recommend! (see <https://msdn.microsoft.com/en-us/library/ms791049.aspx>) Even Windows' setup can import it automatically from $WinPEDriver$ into the driver store (see <https://technet.microsoft.com/en-us/library/cc766142.aspx>). JFTR: there is ABSOLUTELY no need for executable installers on Windows! DUMP THIS CRAP! stay tuned Stefan Kanthak [*] ShFolder.dll is cruft from the last millennium, it was used on Windows 9x without Internet Explorer 4; see <https://support.microsoft.com/en-us/kb/241733> Since Windows 2000 there is ABSOLUTELY no need to use this cruft! Timeline: ~~~~~~~~~ 2012-05-24 vulnerability report sent to vendor (yes, 2012-05-24!) no reply, not even an acknowledgement of receipt 2016-06-06 vulnerability report sent to vendor no reply, not even an acknowledgement of receipt 2017-01-02 report published
