Hi @ll,

the installers of SoftMaker's FreeOffice 2016, "freeoffice2016.exe",
available from <http://www.softmaker.net/down/freeoffice2016.exe>,
and its predecessor FreeOffice 2010, "freeofficewindows.exe",
available from <http://www.softmaker.net/down/freeofficewindows.exe>,
are (surprise.-) vulnerable!


1. They load CABINET.DLL, MSI.DLL, VERSION.DLL and WINSPOOL.DRV from
   their "application directory" instead of Windows' "system directory"
   %SystemRoot%\System32\, resulting in "arbitrary code execution".

   For this well-known vulnerability see
   <https://capec.mitre.org/data/definitions/471.html>,
   <https://cwe.mitre.org/data/definitions/426.html>,
   <https://cwe.mitre.org/data/definitions/427.html>
   <https://technet.microsoft.com/en-us/library/2269637.aspx>,
   <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
   <https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
   <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
   <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
   <http://seclists.org/fulldisclosure/2012/Aug/134> and
   <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:

   The "application directory" is typically the user's "Downloads"
   folder, where an attacker can place these DLLs for example per
   "drive-by download".

   Thanks to the embedded application manifest which specifies
   "requireAdministrator" the executable installer can only be run
   with administrative privileges, resulting in "arbitrary code
   execution" WITH "elevation of privilege".


2. The installer creates an UNPROTECTED directory "%TEMP%\<GUID>\",
   writable by the unprivileged user, to extracts the files uinst.exe,
   SETUP_1.CAB and SETUP_2.CAB, then extracts an .MSI from the .CABs
   and calls "MSIEXEC.EXE /i ...MSI" to finally install FreeOffice.

   Thanks to the unprotected directory an attacker can modify the
   extracted files and is able to gain SYSTEM privilege.

   For this well-known vulnerability see
   <https://cwe.mitre.org/data/definitions/377.html> and
   <https://cwe.mitre.org/data/definitions/379.html>


The installers are built using dotNetinstaller from dblock.org.
STAY AWAY FROM THIS CRAP!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!

  See <http://seclists.org/fulldisclosure/2015/Nov/101> and
  <http://seclists.org/fulldisclosure/2015/Dec/86> plus
  <http://home.arcor.de/skanthak/!execute.html> alias
  <https://skanthak.homepage.t-online.de/!execute.html> for more
  information.

* Practice STRICT privilege separation: NEVER use the so-called
  "protected" administrator account(s) created during Windows
  setup.

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-11-18    sent vulnerability report for version 2010 to vendor

              received an auto-generated reply: we are busy

2015-12-27    resent vulnerability report to vendor

2016-01-07    vendor replies: fixed in latest release of
              FreeOffice 2010 from 2015-12-15

2016-01-07    OUCH!
              The vulnerability is NOT fixed!

2016-01-19    vendor replies: loading of CABINET.DLL and MSI.DLL
              should be fixed, but we can't fix WINSPOOL.DRV for now

2016-04-19    sent vulnerability report for new version 2016 to
              vendor

              no reply, not even an acknowledgement of receipt

2016-12-12    sent vulnerability report to vendor and author of
              installer

              no reply, not even an acknowledgement of receipt

2016-12-19    resent vulnerability report to vendor and author of
              installer

              no reply, not even an acknowledgement of receipt

2016-12-29    report published