accept no compromises

SoftMaker FreeOffice 2016 DLL Hijacking

SoftMaker FreeOffice 2016 DLL Hijacking
Posted Dec 30, 2016
Authored by Stefan Kanthak

The executable installers for SoftMaker FreeOffice 2016 suffer from a dll hijacking vulnerability.

tags | advisory
systems | windows
MD5 | 23477524d519e420cec95f91987d0ace

SoftMaker FreeOffice 2016 DLL Hijacking

Change Mirror Download
Hi @ll,

the installers of SoftMaker's FreeOffice 2016, "freeoffice2016.exe",
available from <http://www.softmaker.net/down/freeoffice2016.exe>,
and its predecessor FreeOffice 2010, "freeofficewindows.exe",
available from <http://www.softmaker.net/down/freeofficewindows.exe>,
are (surprise.-) vulnerable!


1. They load CABINET.DLL, MSI.DLL, VERSION.DLL and WINSPOOL.DRV from
their "application directory" instead of Windows' "system directory"
%SystemRoot%\System32\, resulting in "arbitrary code execution".

For this well-known vulnerability see
<https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:

The "application directory" is typically the user's "Downloads"
folder, where an attacker can place these DLLs for example per
"drive-by download".

Thanks to the embedded application manifest which specifies
"requireAdministrator" the executable installer can only be run
with administrative privileges, resulting in "arbitrary code
execution" WITH "elevation of privilege".


2. The installer creates an UNPROTECTED directory "%TEMP%\<GUID>\",
writable by the unprivileged user, to extracts the files uinst.exe,
SETUP_1.CAB and SETUP_2.CAB, then extracts an .MSI from the .CABs
and calls "MSIEXEC.EXE /i ...MSI" to finally install FreeOffice.

Thanks to the unprotected directory an attacker can modify the
extracted files and is able to gain SYSTEM privilege.

For this well-known vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html>


The installers are built using dotNetinstaller from dblock.org.
STAY AWAY FROM THIS CRAP!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
information.

* Practice STRICT privilege separation: NEVER use the so-called
"protected" administrator account(s) created during Windows
setup.

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-11-18 sent vulnerability report for version 2010 to vendor

received an auto-generated reply: we are busy

2015-12-27 resent vulnerability report to vendor

2016-01-07 vendor replies: fixed in latest release of
FreeOffice 2010 from 2015-12-15

2016-01-07 OUCH!
The vulnerability is NOT fixed!

2016-01-19 vendor replies: loading of CABINET.DLL and MSI.DLL
should be fixed, but we can't fix WINSPOOL.DRV for now

2016-04-19 sent vulnerability report for new version 2016 to
vendor

no reply, not even an acknowledgement of receipt

2016-12-12 sent vulnerability report to vendor and author of
installer

no reply, not even an acknowledgement of receipt

2016-12-19 resent vulnerability report to vendor and author of
installer

no reply, not even an acknowledgement of receipt

2016-12-29 report published


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    2 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close