VeraCrypt 1.17 DLL Hijacking

VeraCrypt 1.17 DLL Hijacking: Posted Jul 18, 2016; Authored by Stefan Kanthak; The installer for VeraCrypt version 1.17 suffers from a dll hijacking vulnerability.; tags | advisory; systems | windows; advisories | CVE-2016-1281; SHA-256 | da2330e7ad3228c7507f3b754b72ba7cabcaa6c3591eeffcfa8f7886bc98e2c5; Download | Favorite | View

VeraCrypt 1.17 DLL Hijacking

Hi @ll,

this is basically a followup to <http://seclists.org/oss-sec/2016/q1/58>

CVE-2016-1281 is NOT FIXED!

I've retested the current "VeraCrypt Setup 1.17.exe" on a fully
patched Windows 7, and it is STILL (or AGAIN) vulnerable there.

The following DLLs are loaded from the "application directory"
and their DllMain() executed: VSSAPI.dll, ATL.dll, VSSTrace.dll.

See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html> and
<https://capec.mitre.org/data/definitions/471.html> for details
about this well-known and well-documented beginner's error!

Due to the application manifest embedded in the executable installer
which specifies "requireAdministrator" the installer is run with
administrative privileges ("protected" administrators are prompted
for consent, unprivileged standard users are prompted for an
administrator password); execution of the DLLs therefore results
in an escalation of privilege!

For software downloaded with a web browser the "application
directory" is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for prior
art!


Mitigation:
~~~~~~~~~~~

DUMP executable installers, build packages for the target OS' native
installer instead!

See <http://home.arcor.de/skanthak/!execute.html>
as well as <http://home.arcor.de/skanthak/sentinel.html> for the long
sad story of these vulnerabilities.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-12-23    vulnerability report sent to author

2016-01-03    author confirmed vulnerability, got CVE-2016-1281

              worked with author until he finally was able to build
              an installer which didn't show this vulnerability.

              Also notified author:
              "as soon as Microsoft introduces new/other dependencies
               between Windows' system DLLs or refactors them (again)
               this vulnerability will VERY likely resurface again."

2016-01-11    report published by author (see above)

2016-07-01    vulnerability report sent to author ("I told you so!")

              NO RESPONSE

2016-07-17    report published

Top Authors In Last 30 Days

Red Hat 144 files
Ubuntu 111 files
Debian 18 files
Rafael Pedrero 11 files
LiquidWorm 10 files
Google Security Research 10 files
Apple 9 files
Abdulhakim Oner 8 files
nu11secur1ty 8 files
Hubert Wojciechowski 6 files

File Archives

Systems

AIX (426)
Apple (1,960)
BSD (370)
CentOS (56)
Cisco (1,919)
Debian (6,714)
Fedora (1,691)
FreeBSD (1,242)
Gentoo (4,288)
HPUX (878)
iOS (340)
iPhone (108)
IRIX (220)
Juniper (67)
Linux (45,130)
Mac OS X (684)
Mandriva (3,105)
NetBSD (256)
OpenBSD (482)
RedHat (12,923)
Slackware (941)
Solaris (1,609)
SUSE (1,444)
Ubuntu (8,448)
UNIX (9,208)
UnixWare (185)
Windows (6,532)
Other

VeraCrypt 1.17 DLL Hijacking

VeraCrypt 1.17 DLL Hijacking

File Archive:

March 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

VeraCrypt 1.17 DLL Hijacking

Share This

VeraCrypt 1.17 DLL Hijacking

File Archive:

March 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems