Home / os / winmobile

Avira Registry Cleaner DLL Hijacking

Posted on 19 December 2015

Hi @ll, avira_registry_cleaner_en.exe, available from <https://www.avira.com/en/download/product/avira-registry-cleaner> to clean up remnants the uninstallers of their snakeoil products fail to remove, is vulnerable: it loads and executes WTSAPI32.dll, UXTheme.dll and RichEd20.dll from its application directory (tested and verified under Windows XP SP3 and Windows 7 SP1). For software downloaded with a web browser this is typically the "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> Additionally see <https://blogs.msdn.microsoft.com/oldnewthing/20101111-00/?p=12303>: the above named DLLs are delay-loaded. You had been warned, kids! Due to the application manifest embedded in the executable which specifies "requireAdministrator" Windows' "user account control" runs it with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of WTSAPI32.dll, UXTheme.dll and/or RichEd20.dll thus results in an escalation of privilege! If WTSAPI32.dll, UXTheme.dll or RichEd20.dll gets planted in the users "Downloads" directory per "drive-by download" this vulnerability becomes a remote code execution WITH escalation of privilege. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it as WTSAPI32.dll in your "Downloads" directory, then copy it as UXTheme.dll and RichEd20.dll; 2. download avira_registry_cleaner_en.exe from <https://www.avira.com/en/download/product/avira-registry-cleaner> and save it in your "Downloads" directory; 3. execute avira_registry_cleaner_en.exe from your "Downloads" directory; 4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll and/or RichEd20.dll placed in step 1. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2015-11-15 vulnerability report sent to vendor 2015-11-16 vendor acknowledges receipt 2015-11-17 vendor verifies vulnerability report and anounces to publish a fix within two weeks 2015-11-18 asked vendor to request a CVE identifier and check their other executable (un)installers too 2015-11-19 vendor replies: "We updated our compiler and its runtime to a version which should mitigate the attack vector and modified the DLL load order" 2015-12-08 notification from vendor: "We released a fixed version today" 2015-12-08 your "fixed" cleaner still loads the named DLLs 2015-12-09 response from vendor, asking how I verified execution of UXTheme.dll, with screenshot of "Process Monitor" showing the tell-tale line "C:Users...DownloadsCRYPTBASE.dll NAME NOT FOUND" 2015-12-09 see <http://seclists.org/fulldisclosure/2015/Nov/101> sent SAFER.log produced on Windows XP and Windows 7 to vendor; also told them to look at the screenshot! 2015-12-17 response from vendor: "We don't see a vulnerability in the attempt to load CRYPTBASE.dll from the application directory as shown by Process Monitor. We think we fixed the reported vulnerabilities and will not provide another fix." OUCH! I really LOVE snakeoil vendors who DON'T care about the safety and security of their customers. 2015-12-18 report published

 

TOP