what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Heimdal Security DLL Hijacking

Heimdal Security DLL Hijacking
Posted Jan 31, 2017
Authored by Stefan Kanthak

Heimdal Security's SetupLauncher is vulnerable to DLL hijacking.

tags | advisory
systems | windows
SHA-256 | 943d15090aa9969816c66d337a95a511ef46089ce4b7786320fe7e66d6aa41c9

Heimdal Security DLL Hijacking

Change Mirror Download
Hi @ll,

Heimdal.SetupLauncher.exe, available from
<https://heimdalprodstorage.blob.core.windows.net/setup/Heimdal.SetupLauncher.exe>
is (surprise.-) vulnerable to DLL hijacking: it loads (at least)
WINSPOOL.DRV from its "application directory" instead Windows
"system directory".

For downloaded applications like Heimdal.SetupLauncher.exe the
"application directory" is Windows' "Downloads" folder.

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
for more information.


On their web site <https://heimdalsecurity.com/en/> Heimdal Security
brags^Wlies:

| Online criminals hate us. We protect you from attacks that antivirus
| can't block.

The opposite is but true: every online criminal loves "security"
products because of such trivial to exploit vulnerabilities!

DLL hijacking is a 20 year old, well-known and well-documented
vulnerability, and a typical beginner's error: see
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx>.
for more information.


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!
Don't use self-extractors! NEVER!

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
information.

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".

* Use SAFER alias Software Restriction Policies or AppLocker to
enforce W^X alias "write Xor execute" in the NTFS file system:
allow execution only below %SystemRoot% and %ProgramFiles% and
deny it everywhere else.

See <http://mechbgon.com/srp/index.html> or
<http://home.arcor.de/skanthak/SAFER.html> alias
<https://skanthak.homepage.t-online.de/SAFER.html> for more
information.

* Stay FAR away from so-called "security" products!

See (for example)
<http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html>
and
<https://medium.com/@justin.schuh/stop-buying-bad-security-prescriptions-f18e4f61ba9e#.f07b2xdow>
for more information.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-01-13 vulnerability report sent to vendor

no reply, not even an acknowledgement of receipt

2017-01-21 vulnerability report resent to vendor

no reply, not even an acknowledgement of receipt

2017-01-31 report published


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close