what you don't know can hurt you

Google Chrome Cleanup Tool DLL Hijacking

Google Chrome Cleanup Tool DLL Hijacking
Posted Feb 26, 2016
Authored by Stefan Kanthak

Google's Chrome Cleanup Tool suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
MD5 | 2f03231c35dc579fb0a013456600b14b

Google Chrome Cleanup Tool DLL Hijacking

Change Mirror Download
Hi @ll,

Google's software_removal_tool.exe alias Chrome Cleanup Tool loads
and executes several DLLs from its "application directory" during
runtime:

* Windows XP:
SetupAPI.dll, NTMarta.dll, ClbCatQ.dll, SRClient.dll, UXTheme.dll,
RASAPI32.dll, HNetCfg.dll, IPHlpAPI.dll, RASAdHlp.dll, XPSP2Res.dll,
RichEd20.dll, SENSAPI.dll

* Windows 7:
NTMarta.dll, SRClient.dll, DWMAPI.dll, UXTheme.dll, IPHlpAPI.dll,
DNSAPI.dll

Additionally the following DLLs are loaded from its "application
directory" during load-time:

WS2_32.dll, WS2HELP.dll, PSAPI.DLL, WINMM.dll, WINHTTP.dll,
ProfAPI.dll, Secur32.dll, Version.dll


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places the DLLs named above in the users "Downloads"
directory (for example per drive-by download or social engineering)
this vulnerability becomes a remote code execution.


See <http://seclists.org/fulldisclosure/2015/Nov/101>
and <http://seclists.org/fulldisclosure/2015/Dec/86>
plus <http://seclists.org/fulldisclosure/2015/Dec/121>


Proof of concept (verified on Windows XP and Windows 7 using
version 2.46 and 6.44.3.0 of software_removal_tool.exe):

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
it as UXTheme.dll in your "Downloads" directory, then copy it
as RichEd20.dll, ClbCatQ.dll, SetupAPI.dll, DWMAPI.dll etc.;

2. download software_removal_tool.exe and save it in your
"Downloads" directory;

3. run software_removal_tool.exe from the "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
step 1.

PWNED!

5. create empty files WS2_32.dll, WS2HELP.dll, PSAPI.DLL, WINMM.dll,
WINHTTP.dll, ProfAPI.dll, Secur32.dll, Version.dll in your
"Downloads" directory;

6. run software_removal_tool.exe from the "Downloads" directory.

DOSSED!


This denial of service can easily turned into arbitrary code
execution too: just create a DLL with all the entries referenced
from software_removal_tool.exe.


For this well-known (trivial, easy to avoid, easy to detect and
easy to fix) beginner's error see
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:

| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library location
~~~~~~
| is constant.


Additionally software_removal_tool.exe uses an UNSAFE temporary
directory %TEMP%\scoped_dir<pid>_<random>\ to extract and run
%TEMP%\scoped_dir<pid>_<random>\ChromeRecovery.exe

For this well-known (trivial, easy to avoid, easy to detect and
easy to fix) beginner's error see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> plus
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html>


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-01-28 sent vulnerability report to <security@google.com>

NO reply

2016-02-05 resent vulnerability report to <security@google.com>

2016-02-10 reply from Google security team:
"Chrome is not in scope for the Google VRP program, and has
a separate bug reporting process."

2016-02-10 resent vulnerability report to <security@chromium.org>

NO reply, not even an acknowledgement of receipt

2016-02-24 resent vulnerability report to <security@chromium.org>
and <security@google.com>

2016-02-24 reply from Google security team:
"This is working as intended."

Google want's to have your Windows pwned!

2016-02-24 completely clueless reply from Chromium telling that they
didn't read <http://seclists.org/fulldisclosure/2015/Nov/101>
and <http://seclists.org/fulldisclosure/2015/Dec/86>
plus <http://seclists.org/fulldisclosure/2015/Dec/121>:

"I'm also unsure what defenses you intended to propose here,
because the loader definitely pulls in many (all?) of those
imports prior to any application code running -- so things
like SetDefaultDllDirectories simply aren't a viable defense."

2016-02-24 OUCH!
The DLLs loaded during runtime (see steps 1 to 4) don't have
any exports, there is no import which can (or need to) be
pulled by the loader.

2016-02-26 another nonsense reply from Chromium

2016-02-26 report published
obviously neither Google nor Chromium seem to be interested
in fixing their vulnerable cleanup tool.

STAY AWAY FROM SUCH CRAPWARE!
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    10 Files
  • 6
    Mar 6th
    1 Files
  • 7
    Mar 7th
    2 Files
  • 8
    Mar 8th
    19 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close