Hi @ll,

the executable installer winima90.exe and previous versions
available from <http://www.winimage.com> loads and executes
CRTdll.dll, UXTheme.dll, RichEd32.dll and WindowsCodecs.dll
from its "application directory".

Self-extracting executables created with WinImage load and
execute CRTdll.dll, UXTheme.dll and MPR.dll from their
"application directory".


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places the DLLs named above in the users
"Downloads" directory (for example per drive-by download or
social engineering) this vulnerability becomes a remote code
execution.

Due to the application manifest embedded in the executable
installer which specifies "requireAdministrator" it is run
with administrative privileges ("protected" administrators
are prompted for consent, unprivileged standard users are
prompted for an administrator password); execution of the
DLLs therefore results in an escalation of privilege!


See <http://seclists.org/fulldisclosure/2015/Nov/101>
and <http://seclists.org/fulldisclosure/2015/Dec/86>
plus <http://seclists.org/fulldisclosure/2015/Dec/121>
 

Proof of concept (verified on Windows XP, Windows Vista, Windows 7,
Windows Server 2008 [R2]; should work on newer versions too):

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save
   it as UXTheme.dll in your "Downloads" directory, then copy it
   as RichEd32.dll, WindowsCodecs.dll and MPR.dll;

2. download winima90.exe and save it in your "Downloads"
   directory;

3. run winima90.exe (or a self-extractor created with WinImage)
   from the "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
   step 1.

PWNED!


5. copy the downloaded UXTheme.dll as CRTdll.dll;

6. rerun winima90.exe or a self-extractor from the "Downloads"
   directory.

DOSSED!


This denial of service can easily be turned into an arbitrary code
execution: just create a CRTdll.dll which exports all the symbols
referenced by winima90.exe or the self-extractors and place it in
the "Downloads" directory.


For this well-known (trivial, easy to avoid, easy to detect and
easy to fix) beginner's error see
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:

| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library location is
    ~~~~~~
|   constant.


regards
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-01-12    report sent to vendor

              NO ANSWER, not even an acknowledgement of receipt

2016-01-21    report resent to vendor

              NO ANSWER, not even an acknowledgement of receipt

2016-01-30    report published