Twenty Year Anniversary

SoftMaker FreeOffice 2016 DLL Hijacking

SoftMaker FreeOffice 2016 DLL Hijacking
Posted Dec 30, 2016
Authored by Stefan Kanthak

The executable installers for SoftMaker FreeOffice 2016 suffer from a dll hijacking vulnerability.

tags | advisory
systems | windows
MD5 | 23477524d519e420cec95f91987d0ace

SoftMaker FreeOffice 2016 DLL Hijacking

Change Mirror Download
Hi @ll,

the installers of SoftMaker's FreeOffice 2016, "freeoffice2016.exe",
available from <http://www.softmaker.net/down/freeoffice2016.exe>,
and its predecessor FreeOffice 2010, "freeofficewindows.exe",
available from <http://www.softmaker.net/down/freeofficewindows.exe>,
are (surprise.-) vulnerable!


1. They load CABINET.DLL, MSI.DLL, VERSION.DLL and WINSPOOL.DRV from
their "application directory" instead of Windows' "system directory"
%SystemRoot%\System32\, resulting in "arbitrary code execution".

For this well-known vulnerability see
<https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:

The "application directory" is typically the user's "Downloads"
folder, where an attacker can place these DLLs for example per
"drive-by download".

Thanks to the embedded application manifest which specifies
"requireAdministrator" the executable installer can only be run
with administrative privileges, resulting in "arbitrary code
execution" WITH "elevation of privilege".


2. The installer creates an UNPROTECTED directory "%TEMP%\<GUID>\",
writable by the unprivileged user, to extracts the files uinst.exe,
SETUP_1.CAB and SETUP_2.CAB, then extracts an .MSI from the .CABs
and calls "MSIEXEC.EXE /i ...MSI" to finally install FreeOffice.

Thanks to the unprotected directory an attacker can modify the
extracted files and is able to gain SYSTEM privilege.

For this well-known vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html>


The installers are built using dotNetinstaller from dblock.org.
STAY AWAY FROM THIS CRAP!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
information.

* Practice STRICT privilege separation: NEVER use the so-called
"protected" administrator account(s) created during Windows
setup.

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-11-18 sent vulnerability report for version 2010 to vendor

received an auto-generated reply: we are busy

2015-12-27 resent vulnerability report to vendor

2016-01-07 vendor replies: fixed in latest release of
FreeOffice 2010 from 2015-12-15

2016-01-07 OUCH!
The vulnerability is NOT fixed!

2016-01-19 vendor replies: loading of CABINET.DLL and MSI.DLL
should be fixed, but we can't fix WINSPOOL.DRV for now

2016-04-19 sent vulnerability report for new version 2016 to
vendor

no reply, not even an acknowledgement of receipt

2016-12-12 sent vulnerability report to vendor and author of
installer

no reply, not even an acknowledgement of receipt

2016-12-19 resent vulnerability report to vendor and author of
installer

no reply, not even an acknowledgement of receipt

2016-12-29 report published


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    2 Files
  • 23
    Apr 23rd
    17 Files
  • 24
    Apr 24th
    35 Files
  • 25
    Apr 25th
    14 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close