ClamWin 0.99 DLL Hijacking

ClamWin 0.99 DLL Hijacking: Posted Mar 7, 2016; Authored by Stefan Kanthak; ClamWin version 0.99 suffers from a DLL hijacking vulnerability.; tags | exploit; systems | windows; SHA-256 | b2be3253bb37ef5ad3a81cc596f0eb316ab73089f786a5ac15cca8b8d5244edb; Download | Favorite | View

ClamWin 0.99 DLL Hijacking

Hi @ll,

the executable installer clamwin-0.99-setup.exe (available from
<http://www.clamwin.com/download>) loads and executes DWMAPI.dll
or UXTheme.dll from its "application directory".


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places one of the above named DLL in the user's
"Downloads" directory (for example per "drive-by download"
or "social engineering") this vulnerability becomes a remote
code execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   DWMAPI.dll;

2. download clamwin-0.99-setup.exe and save it in your "Downloads"
   directory;

3. execute clamwin-0.99-setup.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
   step 1.

PWNED!


See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/32> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!  


stay tuned
Stefan Kanthak


PS: I really LOVE (security) software with such trivial beginner's
    errors. It's a tell-tale sign to stay away from this snakeoil!


Timeline:
~~~~~~~~~

2016-03-06    sent vulnerability report to authors

<security@clamwin.com>: host aspmx.l.google.com[64.233.184.26] said: 550-5.1.1
    The email account that you tried to reach does not exist. Please try
    550-5.1.1 double-checking the recipient's email address for typos or
    550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1
    https://support.google.com/mail/answer/6596 y186si9894139wmy.43 - gsmtp (in
    reply to RCPT TO command)

<clamwin@sf.net>: host mx.sourceforge.net[216.34.181.68] said: 550 unknown user
    (in reply to RCPT TO command)

2016-03-06    report published

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

ClamWin 0.99 DLL Hijacking

ClamWin 0.99 DLL Hijacking

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ClamWin 0.99 DLL Hijacking

Share This

ClamWin 0.99 DLL Hijacking

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems