ClamWin 0.99 DLL Hijacking

ClamWin 0.99 DLL Hijacking: Posted Mar 7, 2016; Authored by Stefan Kanthak; ClamWin version 0.99 suffers from a DLL hijacking vulnerability.; tags | exploit; systems | windows; SHA-256 | b2be3253bb37ef5ad3a81cc596f0eb316ab73089f786a5ac15cca8b8d5244edb; Download | Favorite | View

ClamWin 0.99 DLL Hijacking

Hi @ll,

the executable installer clamwin-0.99-setup.exe (available from
<http://www.clamwin.com/download>) loads and executes DWMAPI.dll
or UXTheme.dll from its "application directory".


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places one of the above named DLL in the user's
"Downloads" directory (for example per "drive-by download"
or "social engineering") this vulnerability becomes a remote
code execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   DWMAPI.dll;

2. download clamwin-0.99-setup.exe and save it in your "Downloads"
   directory;

3. execute clamwin-0.99-setup.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
   step 1.

PWNED!


See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/32> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!  


stay tuned
Stefan Kanthak


PS: I really LOVE (security) software with such trivial beginner's
    errors. It's a tell-tale sign to stay away from this snakeoil!


Timeline:
~~~~~~~~~

2016-03-06    sent vulnerability report to authors

<security@clamwin.com>: host aspmx.l.google.com[64.233.184.26] said: 550-5.1.1
    The email account that you tried to reach does not exist. Please try
    550-5.1.1 double-checking the recipient's email address for typos or
    550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1
    https://support.google.com/mail/answer/6596 y186si9894139wmy.43 - gsmtp (in
    reply to RCPT TO command)

<clamwin@sf.net>: host mx.sourceforge.net[216.34.181.68] said: 550 unknown user
    (in reply to RCPT TO command)

2016-03-06    report published

Top Authors In Last 30 Days

Red Hat 332 files
Ubuntu 53 files
Gentoo 32 files
Debian 22 files
Apple 9 files
malvuln 6 files
nu11secur1ty 5 files
Adam Gowdiak 4 files
Jann Horn 4 files
Ahmet Umit Bayram 4 files

File Archives

Systems

AIX (429)
Apple (2,088)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,044)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,776)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,910)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,514)
UNIX (9,404)
UnixWare (187)
Windows (6,660)
Other

ClamWin 0.99 DLL Hijacking

ClamWin 0.99 DLL Hijacking

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ClamWin 0.99 DLL Hijacking

Share This

ClamWin 0.99 DLL Hijacking

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems