Putty 0.66 DLL Hijacking
Posted on 03 March 2016
Hi, putty-0.66-installer.exe loads and executes DWMAPI.dll or UXTheme.dll from its "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If an attacker places one of the above named DLL in the user's "Downloads" directory (for example per "drive-by download" or "social engineering") this vulnerability becomes a remote code execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it as UXTheme.dll in your "Downloads" directory, then copy it as DWMAPI.dll; 2. download putty-0.66-installer.exe and save it in your "Downloads" directory; 3. execute putty-0.66-installer.exe from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. PWNED! See <http://seclists.org/fulldisclosure/2015/Nov/101>, <http://seclists.org/fulldisclosure/2015/Dec/86> and <http://seclists.org/fulldisclosure/2015/Dec/32> plus <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S error! stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2015-12-24 sent vulnerability report to author NO REPLY, not even an acknowledgement of receipt 2016-01-02 resent vulnerability report to author NO REPLY, not even an acknowledgement of receipt 2016-03-01 report published
