Exploit the possiblities

SoftMaker FreeOffice 2016 DLL Hijacking

SoftMaker FreeOffice 2016 DLL Hijacking
Posted Dec 30, 2016
Authored by Stefan Kanthak

The executable installers for SoftMaker FreeOffice 2016 suffer from a dll hijacking vulnerability.

tags | advisory
systems | windows
MD5 | 23477524d519e420cec95f91987d0ace

SoftMaker FreeOffice 2016 DLL Hijacking

Change Mirror Download
Hi @ll,

the installers of SoftMaker's FreeOffice 2016, "freeoffice2016.exe",
available from <http://www.softmaker.net/down/freeoffice2016.exe>,
and its predecessor FreeOffice 2010, "freeofficewindows.exe",
available from <http://www.softmaker.net/down/freeofficewindows.exe>,
are (surprise.-) vulnerable!


1. They load CABINET.DLL, MSI.DLL, VERSION.DLL and WINSPOOL.DRV from
their "application directory" instead of Windows' "system directory"
%SystemRoot%\System32\, resulting in "arbitrary code execution".

For this well-known vulnerability see
<https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:

The "application directory" is typically the user's "Downloads"
folder, where an attacker can place these DLLs for example per
"drive-by download".

Thanks to the embedded application manifest which specifies
"requireAdministrator" the executable installer can only be run
with administrative privileges, resulting in "arbitrary code
execution" WITH "elevation of privilege".


2. The installer creates an UNPROTECTED directory "%TEMP%\<GUID>\",
writable by the unprivileged user, to extracts the files uinst.exe,
SETUP_1.CAB and SETUP_2.CAB, then extracts an .MSI from the .CABs
and calls "MSIEXEC.EXE /i ...MSI" to finally install FreeOffice.

Thanks to the unprotected directory an attacker can modify the
extracted files and is able to gain SYSTEM privilege.

For this well-known vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html>


The installers are built using dotNetinstaller from dblock.org.
STAY AWAY FROM THIS CRAP!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
information.

* Practice STRICT privilege separation: NEVER use the so-called
"protected" administrator account(s) created during Windows
setup.

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-11-18 sent vulnerability report for version 2010 to vendor

received an auto-generated reply: we are busy

2015-12-27 resent vulnerability report to vendor

2016-01-07 vendor replies: fixed in latest release of
FreeOffice 2010 from 2015-12-15

2016-01-07 OUCH!
The vulnerability is NOT fixed!

2016-01-19 vendor replies: loading of CABINET.DLL and MSI.DLL
should be fixed, but we can't fix WINSPOOL.DRV for now

2016-04-19 sent vulnerability report for new version 2016 to
vendor

no reply, not even an acknowledgement of receipt

2016-12-12 sent vulnerability report to vendor and author of
installer

no reply, not even an acknowledgement of receipt

2016-12-19 resent vulnerability report to vendor and author of
installer

no reply, not even an acknowledgement of receipt

2016-12-29 report published


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close