Hi @ll,

avira_registry_cleaner_en.exe, available from
<https://www.avira.com/en/download/product/avira-registry-cleaner>
to clean up remnants the uninstallers of their snakeoil products
fail to remove, is vulnerable: it loads and executes WTSAPI32.dll,
UXTheme.dll and RichEd20.dll from its application directory
(tested and verified under Windows XP SP3 and Windows 7 SP1).


For software downloaded with a web browser this is typically the
"Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>

Additionally see
<https://blogs.msdn.microsoft.com/oldnewthing/20101111-00/?p=12303>:
the above named DLLs are delay-loaded.
You had been warned, kids!


Due to the application manifest embedded in the executable which
specifies "requireAdministrator" Windows' "user account control"
runs it with administrative privileges ("protected" administrators
are prompted for consent, unprivileged standard users are prompted
for an administrator password); execution of WTSAPI32.dll, UXTheme.dll
and/or RichEd20.dll thus results in an escalation of privilege!

If WTSAPI32.dll, UXTheme.dll or RichEd20.dll gets planted in the
users "Downloads" directory per "drive-by download" this
vulnerability becomes a remote code execution WITH escalation of
privilege.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save
   it as WTSAPI32.dll in your "Downloads" directory, then copy it
   as UXTheme.dll and RichEd20.dll;

2. download avira_registry_cleaner_en.exe from
   <https://www.avira.com/en/download/product/avira-registry-cleaner>
   and save it in your "Downloads" directory;

3. execute avira_registry_cleaner_en.exe from your "Downloads"
   directory;

4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll
   and/or RichEd20.dll placed in step 1.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-11-15    vulnerability report sent to vendor

2015-11-16    vendor acknowledges receipt

2015-11-17    vendor verifies vulnerability report and anounces to
              publish a fix within two weeks

2015-11-18    asked vendor to request a CVE identifier and check
              their other executable (un)installers too

2015-11-19    vendor replies:
              "We updated our compiler and its runtime to a version
               which should mitigate the attack vector and modified
               the DLL load order"

2015-12-08    notification from vendor:
              "We released a fixed version today"

2015-12-08    your "fixed" cleaner still loads the named DLLs

2015-12-09    response from vendor, asking how I verified execution
              of UXTheme.dll, with screenshot of "Process Monitor"
              showing the tell-tale line
              "C:\Users\...\Downloads\CRYPTBASE.dll    NAME NOT FOUND"

2015-12-09    see <http://seclists.org/fulldisclosure/2015/Nov/101>

              sent SAFER.log produced on Windows XP and Windows 7 to
              vendor; also told them to look at the screenshot!

2015-12-17    response from vendor:
              "We don't see a vulnerability in the attempt to load
               CRYPTBASE.dll from the application directory as shown
               by Process Monitor. We think we fixed the reported
               vulnerabilities and will not provide another fix."

OUCH!
I really LOVE snakeoil vendors who DON'T care about the safety and
security of their customers.

2015-12-18    report published