exploit the possibilities

GIMP For Windows DLL Hijacking

GIMP For Windows DLL Hijacking
Posted Feb 26, 2016
Authored by Stefan Kanthak

GIMP for Windows suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
MD5 | 18c41257dcf0401926b3da64a6a1ca33

GIMP For Windows DLL Hijacking

Change Mirror Download
Hi @ll,

the executable installer gimp-2.8.16-setup-1.exe (and of course
older versions too) available from <http://www.gimp.org/downloads/>
loads and executes UXTheme.dll from its "application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art"
about this well-known and well-documented vulnerability.


If an attacker places UXtheme.dll in the users "Downloads"
directory (for example per drive-by download or social engineering)
this vulnerability becomes a remote code execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
it as UXTheme.dll in your "Downloads" directory;

2. download gimp-2.8.16-setup-1.exe from <http://www.gimp.org/downloads/>
and save it in your "Downloads" directory;

3. run gimp-2.8.16-setup-1.exe from the "Downloads" directory;

4. notice the message boxes displayed from UXTheme.dll placed in
step 1.

PWNED!


See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/33> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!


Additionally the installer creates and uses an UNSAFE temporary
directory %TEMP%\is-<random>.temp\.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-01-29 sent vulnerability report

NO REPLY, not even an acknowledgement of receipt

2016-02-11 resent vulnerability report

NO REPLY, not even an acknowledgement of receipt

2016-02-23 report published


Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close