what you don't know can hurt you

Rufus 3.0 / 3.1 Privilege Escalation

Rufus 3.0 / 3.1 Privilege Escalation
Posted Aug 6, 2018
Authored by Stefan Kanthak

Rufus versions 3.0 and 3.1 suffers from dll hijacking vulnerabilities.

tags | exploit, vulnerability
MD5 | 126457333255fc195b632df825af6a15

Rufus 3.0 / 3.1 Privilege Escalation

Change Mirror Download
Hi @ll,

like their predecessors, the recently (2018-05-29, 2018-06-19)
published versions 3.0 and 3.1 of "Rufus" are riddled with bloody
beginners errors, which ALL allow arbitrary code execution WITH
escalation of privilege, in MULTIPLE ways.

JFTR: to support and ease further attacks, this crap is built
without ASLR and without stack cookies/canaries!

Vulnerability #1

rufus-3.0.exe, rufus-3.0p.exe, rufus-3.1.exe and rufus-3.1p.exe are
susceptible to DLL spoofing alias DLL search order hijacking: on a
fully patched Windows 7, they load at least the following Windows
system DLLs from their "application directory", typically the user's
"Downloads" directory %USERPROFILE%\Downloads\, instead from Windows
"system directory" %SystemRoot%\System32\, resulting in arbitrary
code execution:

DWMAPI.dll, UXTheme.dll, Version.dll, CryptSP.dll, NCrypt.dll,
BCrypt.dll, RichEd20.dll, DSRole.dll, LogonCli.dll, DFSCli.dll,
SAMCli.dll, DSRole.dll

For this well-known and well-documented vulnerability see
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus

Additionally see Microsoft's developer guidance
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> und
to avoid this bloody beginner's error.

Also see
for "prior art".

And last but not least the 20+ year old

Since the clueless developer specified "requireAdministrator" in
the embedded application manifest, his crap can only be run with
administrative privileges, resulting in arbitary code execution
WITH escalation of privilege.

Demonstration/proof of concept #1:

1. Follow the instructions from
and build a testbed/minefield of 32-bit DLLs in your
"Downloads" directory.

2. Download <https://rufus.akeo.ie/downloads/rufus-3.0.exe> and
<https://rufus.akeo.ie/downloads/rufus-3.0p.exe> and save them
in your "Downloads" directory.

3. Run rufus-3.0.exe and rufus-3.0p.exe: notice the message boxes
displayed from multiple DLLs created in step 1!

4. Download <https://rufus.akeo.ie/downloads/rufus-3.1.exe> and
<https://rufus.akeo.ie/downloads/rufus-3.1p.exe> and save them
in your "Downloads" directory.

5. Run rufus-3.1.exe and rufus-3.1p.exe: notice the message boxes
displayed from at least DSROLE.DLL created in step 1!

JFTR: if you don't see a message box: open the event log and view
the entries from source "Vulnerability and Exploit Detector".


DUMP the executable installer, DUMP the portable crap, provide an
.MSI, or a .CAB plus an .INF script.


See <https://skanthak.homepage.t-online.de/!execute.html>

Vulnerability #2

Although running with administrative privileges, this crap extracts
files UNPROTECTED [1] into the "current working directory" for later
execution (and into the user's %TEMP% directory for later use).

For this well-known and well-documented vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> plus

An unprivileged user/process running in the same user account [2]
can modify the extracted files between their creation and use, and
can even create bogus files instead, which this crap then executes.
Remember that it runs with administrative rights!

Demonstration/proof of concept #2a:

1. Open a command prompt, then run the following command lines:

MKDIR "%SystemDrive%\CRAPWARE"
COPY %COMSPEC% rufus.com
ATTRIB.exe +R rufus.com

2. Run the following command line:


Notice the string "rufus.com\n" pasted into the command prompt
window (really: into the window which happens to have focus) and
the copy of the command processor started.

3. Run the following command line:


Again notice the string "rufus.com\n" pasted into the command
prompt window, and the subsequent dialog box stating that
another instance of this crap is already running.

Demonstration/proof of concept #2b:

1. Run the following command lines in the still open command

ATTRIB.exe -R rufus.com
ERASE rufus.com
SET NoDefaultCurrentDirectoryInExePath=*

2. Run the command lines


3. Notice the error messages

| "rufus.com" is not recognized as an internal or external command,
| operable program or batch file.

from the command prompt, and the complete failure of this crap.

Demonstration/proof of concept #2c:

1. Add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of
files in this directory for everyone, inheritable to files in
subdirectories" to the current working directory

2. Run the vulnerable applications: notice their complete failure,
they neither display their window nor any error message!

3. View the access rights of the file "rufus.com" created in the

stay tuned, and FAR AWAY from such vulnerable and defective crap
Stefan Kanthak

[1] on Windows, every developer past absolute beginner uses the
fourth argument of CreateFile()
or the second argument of CreateDirectory()
to specify a "security descriptor" with the desired and needed
access rights, at least and especially when running privileged.

[2] the ONE and ONLY user account created during Windows setup is an
administrator account, and it is used by the vast majority of
Windows users for their everyday work: according to Microsoft's
own telemetry data, as published in their "Security Intelligence
Reports" <https://www.microsoft.com/security/sir/default.aspx>
about 1/2 to 3/4 of all (some 600 million) Windows installations
report only one active user account.


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    4 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By