AutoIT 3 DLL Hijacking
Posted on 17 May 2016
Hi, You probably heart about the Java issue which affected their installer. (http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html) However this issue also affects multiple other installers as a security researcher has shown. (https://packetstormsecurity.com/files/author/6137/) It is called DLL Hijacking. I've copied a few general statements from there as they also apply to this issue. Note I only tested this on Windows 7 32bit. All files were downloaded on 2016-02-15. So I just tried and tested the AutoIt Installer and the AutoIt3.exe. Here are my results. The latest AutoId3 Installer autoit-v3-setup.exe loads and executes (at least) these DLLs when they are placed in the application directory (which is usually the download folder): * VERSION.dll * CRYPTBASE.dll * SHFOLDER.DLL * ntmarta.dll * dwmapi.dll * SspiCli.dll * RichEd20.DLL Additional these files are copied to the temp directory: * %Temp% sm<4digits>.tmpUserInfo.dll * %Temp% sm<4digits>.tmpInstallOptions.dll * %Temp% sm<4digits>.tmpUserInfo.dll * %Temp% sm<4digits>.tmpSystem.dll Steps to reproduce: Here I just use on DLL as an example. 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and store it as SHFOLDER.dll in your "Downloads" directory; 2. download autoit-v3-setup.exe and store it in your "Downloads" directory; 3. run autoit-v3-setup.exe from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. As you seem to use NSIS, please notice this: https://packetstormsecurity.com/files/134693/NSIS-DLL-Hijack.html What's more I also tested the AutoIt3.exe. As you seem to advertise this as a stand-alone application it may also be installed in a non-safe directory (where users without admin rights can write files to) and therefore it may be (mis)used with malicious DLLs. Additionally all executable files created with Aut2exe.exe are vulnerable as they also use this executable. Note that in my test I only started the AutoIt3.exe and let it run until it shows the "open file" dialog. At this point I cancelled the process, so I did not load any AU3 scripts. This is a list of all DLLs which are loaded and executed by AutoIt3 from the application directory: * WSOCK32.dll * VERSION.dll * WINMM.dll * MPR.dll * IPHLPAPI.DLL * WINNSI.DLL * UxTheme.dll * CRYPTBASE.dll * dwmapi.dll * WindowsCodecs.dll * apphelp.dll * CSCAPI.dll * srvcli.dll * slc.dll * MsftEdit.dll * msls31.dll * ntmarta.dll * XmlLite.dll * LINKINFO.dll * CRYPTSP.dll * RpcRtRemote.dll * SSPICLI.DLL * SHDOCVW.dll * ieframe.DLL * netutils.dll For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If an attacker places the DLLs named above in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution. Due to the application manifest embedded in the installers which specifies "requireAdministrator" the executable installer is run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of the DLLs therefore results in an escalation of privilege! Additionally AU3 scripts can also requests administration rights and in this case they may also be used for a privilege escalation. More information about this issue can be found on this sites: * https://capec.mitre.org/data/definitions/471.html * https://technet.microsoft.com/en-us/library/2269637.aspx * https://msdn.microsoft.com/en-us/library/ff919712.aspx * https://msdn.microsoft.com/en-us/library/ms682586.aspx * http://seclists.org/fulldisclosure/2015/Nov/101 Best regards, <privat> ---- Timeline: * 2016-02-16: send (no reply) * 2016-03-29: reminder send; made aware of public disclosure at the 2016-05-16. * 2015-05-16: report published