Home / os / winmobile

WinImage DLL Hijacking

Posted on 02 February 2016

Hi @ll, the executable installer winima90.exe and previous versions available from <http://www.winimage.com> loads and executes CRTdll.dll, UXTheme.dll, RichEd32.dll and WindowsCodecs.dll from its "application directory". Self-extracting executables created with WinImage load and execute CRTdll.dll, UXTheme.dll and MPR.dll from their "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If an attacker places the DLLs named above in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution. Due to the application manifest embedded in the executable installer which specifies "requireAdministrator" it is run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of the DLLs therefore results in an escalation of privilege! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://seclists.org/fulldisclosure/2015/Dec/121> Proof of concept (verified on Windows XP, Windows Vista, Windows 7, Windows Server 2008 [R2]; should work on newer versions too): 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save it as UXTheme.dll in your "Downloads" directory, then copy it as RichEd32.dll, WindowsCodecs.dll and MPR.dll; 2. download winima90.exe and save it in your "Downloads" directory; 3. run winima90.exe (or a self-extractor created with WinImage) from the "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. PWNED! 5. copy the downloaded UXTheme.dll as CRTdll.dll; 6. rerun winima90.exe or a self-extractor from the "Downloads" directory. DOSSED! This denial of service can easily be turned into an arbitrary code execution: just create a CRTdll.dll which exports all the symbols referenced by winima90.exe or the self-extractors and place it in the "Downloads" directory. For this well-known (trivial, easy to avoid, easy to detect and easy to fix) beginner's error see <https://capec.mitre.org/data/definitions/471.html>, <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>: | To ensure secure loading of libraries | * Use proper DLL search order. | * Always specify the fully qualified path when the library location is ~~~~~~ | constant. regards Stefan Kanthak Timeline: ~~~~~~~~~ 2016-01-12 report sent to vendor NO ANSWER, not even an acknowledgement of receipt 2016-01-21 report resent to vendor NO ANSWER, not even an acknowledgement of receipt 2016-01-30 report published

 

TOP