[FD] Buggy insecure security software executes rogue binary during installation and uninstallation

\ Au_.exe in turn called Windows' CreateProcess() function with the (you guess it) UNQUOTED command line C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver which again led to execution of C:\Program.exe regards Stefan Kanthak ___ Sent

[FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

rights every user owning such an account can create the rogue program, resulting in a privilege escalation. JFTR: no, the user account control is not a security boundary! regards Stefan Kanthak PS: for static detection of these silly beginners errors download and run http://home.arcor.de

Re: [FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

and http://seclists.org/fulldisclosure/2013/May/37 for just the tip of the iceberg). navigare^Wsoftware engineering necesse est! regards Stefan Kanthak ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web

[FD] Beginners error: Synaptics touchpad driver delivered via Windows Update executes rogue program C:\Program.exe with system privileges during installation

security response team the vulnerable driver was pulled from Windows Update. Unfortunately (or should I write: of course) the drivers offered on Synaptics web site have this silly bug too! regards Stefan Kanthak PS: the following lines of the SYNPD.INF show the same silly bug: | HKLM,Software

[FD] Defense in depth -- the Microsoft way (part 17): even a one-line script is vulnerable

which evaluate PATH, i.e. CreateProcess(), ShellExecute(), CMD.EXE, ... MUST be specified with their fully qualified pathname. regards Stefan Kanthak Timeline: ~ 2014-01-23informed vendor 2014-01-23vendor opens MSRC case 16790 ... no more reaction from vendor 2014

[FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account

| the executable path in lpCommandLine, as shown in the example below. Long filenames were introduced 20 years ago, but M$FTs developers still can't handle them properly, and their QA is unable to detect such silly and trivial to spot bugs! regards Stefan Kanthak PS: yes, it needs

Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account

not sure why did you bring UAC into the discussion - did I miss something? or was it just an argument you've heard before and wanted to reply to it preventively?) Cheers! regards Stefan On Fri, Jul 25, 2014 at 2:50 PM, Stefan Kanthak stefan.kant...@nexgo.de wrote: Gynvael Coldwind wrote

[FD] Beginners error: QuickTime for Windows runs rogue program C:\Program.exe when opening associated files

them properly. If you detect such silly beginners errors: report them and get them fixed. If the vendor does not fix them: trash the trash! regards Stefan Kanthak PS: for static detection of these silly beginners errors download and run http://home.arcor.de/skanthak/download/SLOPPY.CMD

[FD] Beginners error: Windows Live Mail 2011 runs rogue C:\Program.exe when opening associated URLs

and upgrade to Windows Live Mail 2012 ASAP! regards Stefan Kanthak PS: the associations for .eml and .nws DONT show this beginners error: WindowsLiveMail.Email.1=C:\Program Files (x86)\Windows Live\Mail\wlmail.exe /eml:%1 WindowsLiveMail.News.1=C:\Program Files (x86)\Windows Live\Mail

[FD] Beginners error: Apple's Software Update runs rogue program C:\Program.exe (and some more)

, Protected Administrator should be considered the equivalent | of Administrator. regards Stefan Kanthak ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/

[FD] Beginners error: Apple's iCloudServices for Windows run rogue program C:\Program.exe (and some more)

4.6.1.0 regards Stefan Kanthak PS: the obvious and trivial fix: edit the 2 erroneous command lines and add the missing quotes. But dont forget to fix them after every update of Apple's crap for Windows. ___ Sent through the Full Disclosure mailing

[FD] Defense in depth -- the Microsoft way (part 19): still no perfect forward secrecy per default in Windows 8/7/Vista/Server 2012/Server 2008 [R2]

://www.howsmyssl.com/, https://www.ssllabs.com/ssltest/viewMyClient.html or https://cc.dcsec.uni-hannover.de/ with Internet Explorer 8 and later after the reboot. have fun Stefan Kanthak JFTR: IPsec is able to use perfect forward secrecy for MANY years, see http://support.microsoft.com/kb/252735

[FD] iTunes 12.0.1 for Windows: still COMPLETELY outdated and VULNERABLE 3rd party libraries

to develop a sense for safety and security: stay away from their (Windows) software! regards Stefan Kanthak Timeline: ~ 2014-06-06informed vendor 2014-06-06vendor sent automated response ... no more reaction 2014-07-03requested status ... no answer

[FD] Beginners error: Google update runs rogue programs %USERPROFILE%\Local.exe, %USERPROFILE%\Local Settings\Application.exe, %SystemDrive%\Documents.exe, %SystemDrive%\Program.exe, ...

Google Chrome 39. regards Stefan Kanthak PS: To catch all instances of this beginners error download http://home.arcor.de/skanthak/download/SENTINEL.CMD, http://home.arcor.de/skanthak/download/SENTINEL.DLL, http://home.arcor.de/skanthak/download/SENTINEL.EXE and http

[FD] Defense in depth -- the Microsoft way (part 21): errors/inconsistencies in Windows registry data may lead to buffer overflows or use of random data

in Windows 8.1) to dump offline registry hives and to detect errors and inconsistencies in key names, value names and value data. regards Stefan Kanthak ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure

[FD] Defense in depth -- the Microsoft way (part 20): Microsoft Update may fail to offer current security updates

^Wadministrator BEWARE! regards Stefan Kanthak JFTR: unfortunately there dont exist registry entries like those for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11 to generally block the offering/installation of Silverlight or Microsoft Security Essentials per Windows Update

[FD] Defense in depth -- the Microsoft way (part 23): two quotes or not to quote...

AppInit_DLLs are only supported on Windows NT (see https://support.microsoft.com/kb/134655) a braindead developer choose not to use a REG_MULTI_SZ value (avoiding the need to interpret spaces as separator and thus supporting long filenames). have fun Stefan Kanthak

[FD] Defense in depth -- the Microsoft way (part 24): applications built with SDKs may be vulnerable

://support.microsoft.com/kb/2500212, https://support.microsoft.com/kb/2565057 and https://support.microsoft.com/kb/2565063), which updates the MSVCRT (including header files etc.) to version 10.0.40219.325. regards Stefan Kanthak ___ Sent

Re: [FD] iTunes 12.1 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

/Oracle Java 6.x and thus installed on many user systems is a good trampoline for attacks. There is ABSOLUTELY no justification for Apple or any other developer to ship VULNERABLE components at all! regards Stefan Kanthak On Sat, Jan 31, 2015 at 10:11 AM, Stefan Kanthak

[FD] [ANN] MSKB 3004375 available for Windows 2000 and later too (but NOT from Mcirosoft)

Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 27): the command line you get differs from the command line I use to call you

dir\program.exe name c:\program files\sub dir\program name.exe JFTR: without this transformation splitting of the command line into the argv vector would give wrong results ... in presense of CreateProcess*() braindead behaviour! Stay tuned! regards Stefan Kanthak PS

[FD] Defense in depth -- the Microsoft way (part 30): on exploitable Win32 functions

when notified over and over again! Defense in depth? Nope! Software engineering? Nope! BRAINDEAD behaviour of Windows CreateProcess*() functions? Yes, of course, always! Taking care for the safety and security of their customers systems? Nope! stay tuned (and far away from crapware!) Stefan

[FD] Defense in depth -- the Microsoft way (part 29): contradicting, ambiguous, incomplete documentation

. the pathname of the found executable gets quoted if it contains a space. The documentation of the function GetCommandLine() https://msdn.microsoft.com/en-us/library/ms683156.aspx but misses this completely! Stay tuned! regards Stefan Kanthak ['] as soon as a name contains a single

[FD] iTunes 12.1.1 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

[*] without dissecting its *.MSI files. Until Apple's developers, their QA and their managers start to develop a sense for their customers safety and security and due diligence: stay away from Apple's (Windows) software! stay tuned Stefan Kanthak [*] https://cwe.mitre.org/data/definitions/428.html

[FD] iTunes 12.2 and QuickTime 7.7.7 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

software! Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/

[FD] Mozilla extensions: a security nightmare

and) Thunderbird and subject to the restrictions imposed by these programs for non-XUL/chrome Javascript. Mitigation(s): ~~ Disable profile local installation of extensions in Mozilla products, enable ONLY application global installation of extensions. stay tuned Stefan Kanthak

[FD] Vulnerable MSVC++ runtime distributed with LibreOffice 5.0.0 for Windows

://seclists.org/fulldisclosure/2009/Sep/0 JFTR: Windows Vista and later include NEWER versions of these DLLs, there is absolutely no need to redistribute an ancient version in your product at all (especially after Windows XP and 2003 have reached end-of-life)! stay tuned Stefan Kanthak

[FD] Defense in depth -- the Microsoft way (part 36): CWE-428 or fun with unquoted paths

xe" name | "c:\program files\sub dir\program name.exe" Neither the 4 other possibilities: "C:\Program" files\sub dir\program name "C:\Program files\sub" dir\program name "C:\Program files\sub dir\program" name &quo

Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

Lee "cant afford a surname" wrote: > Haifei Li, changing the default behavior to open a window asking the > user where to save the file would change nothing. A "normal user" > would just click the "save" button to save the file in the default > folder. I also don't think

Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability

"Shawn McMahon" sybergh...@gmail.com wrote: > On Mon, Oct 5, 2015 at 8:16 AM, Stefan Kanthak <stefan.kant...@nexgo.de> > wrote: > >> >> That's why giving unsuspecting users *.EXE to install a software package >> or to unpack an archive and thus train

Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability

"Gynvael Coldwind" wrote: > Correct me if I'm wrong, but the vulnerability can be summarized as: if you > run an untrusted .exe you might execute malicious code? Amen! > I hardly see this as giving anything new to the attacker who can just > create a malicious exe file,

Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

"Haifei Li" wrote: > This is a copied version of my blog post, original version > http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html. > Probably it's commonly known that when you try to download > something on your modern browser e.g.

[FD] Mozilla extensions: a security nightmare (part 2)

extracting installers which unpack their payload to %TEMP%; but these are flawed per concept too! If you need to support such crap, consider to remove the USER environment variables %TEMP% and %TMP% of the administrator account. The administrat

[FD] Defense in depth -- the Microsoft way (part 34): our developers and our QA still ignore our own security recommendations

ations with Windows 10: see <http://home.arcor.de/skanthak/download/W10_PATH.INF> for the about 2000 registry entries with unqualified pathnames found in the image of the professional edition in the \sources\install.wim stay tuned Stefan Kanthak [*] see <http://home.arcor.de/skanthak/downlo

[FD] Defense in depth -- the Microsoft way (part 33): arbitrary code execution (and UAC bypass) via RegEdit.exe

ator account that allows you to set up | your computer and install any programs that you'd like to use. Once | you finish setting up your computer, we recommend that you create a | standard account and use it for your everyday computing. If you create | new user accounts, you should also ma

[FD] Defense in depth -- the Microsoft way (part 35): Windows Explorer ignores "Run as administrator" ...

snt work at all in standard user accounts when UAC is set to "never elevate". This is another clear violation of Microsofts own UX guidelines! stay tuned Stefan Kanthak PS: the script <http://home.arcor.de/skanthak/download/UAC.INF> adds this and several other mis

[FD] Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege

directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.

[FD] Executable installers are vulnerable^WEVIL (case 5): JRSoft InnoSetup

home.arcor.de/skanthak/safer.html> and/or <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.google.de/books?isbn=1437914926> and finally

[FD] Executable installers are vulnerable^WEVIL (case 9): Chrome's setup.exe allows arbitrary code execution and escalation of privilege

ot;: Windows doesn't place executables in these directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

[FD] Executable installers are vulnerable^WEVIL (case 11): Nmap <7.01 and Nmap-WinPcap <4.13

disclosure/2015/Nov/101> titled Mitigations for "carpet bombing" alias "directory poisoning" attacks against executable installers. Nmap-7.01 and WinPcap-Nmap-4.13 have been released and fix these vulnerabilities. stay tuned Stefan Kanthak ___

[FD] Executable installers are vulnerable^WEVIL (case 10): McAfee Security Scan Plus, WebAdvisor and CloudAV (Beta)

bilities see Intel's Security Bulletin published today: <https://service.mcafee.com/FAQDocument.aspx?lc=1033=TS102462> stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable uninstallers are vulnerable^WEVIL (case 12): Avira Registry Cleaner allows arbitrary code execution with escalation of privilege

ownloads" directory; 4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll and/or RichEd20.dll placed in step 1. stay tuned Stefan Kanthak Timeline: ~ 2015-11-15vulnerability report sent to vendor 2015-11-16vendor acknowledges receipt 2015-11-17vend

[FD] Executable installers/self-extractors are vulnerable^WEVIL (case 17): Kaspersky Labs utilities

d be dumped. Kaspersky Lab published a security advisory 2015-12-23 <https://support.kaspersky.com/vulnerability.aspx?el=12430#231215> after they made updated versions of their utilities available on <https://support.kaspersky.com/viruses/utility> stay tuned Stefan Kanthak

Re: [FD] Executable installers are vulnerable^WEVIL (case 15):F-SecureOnlineScanner.exe allows arbitrary (remote) codeexecution and escalation of privilege

() with <https://support.microsoft.com/en-us/kb/2533623> which but seems largely unknown to almost all developers of executable installers and self-extractors. JFTR: until now I only found one executable installer that was not susceptible to DLL hijacking. It but uses an unsafe temp

[FD] Executable installers are vulnerable^WEVIL (case 16): Trend Micro's installers allows arbitrary (remote) code execution

rom step 1 into "%TEMP%\Agent", then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll and OLEAcc.dll there; 7. execute "%TEMP%\Agent\TisEZIns.exe"; 8. notice the message boxes displayed from

[FD] Executable installers are vulnerable^WEVIL (case 20): TrueCrypt's installers allow arbitrary (remote) code execution and escalation of privilege

ure/2015/Nov/101>, <http://seclists.org/fulldisclosure/2015/Dec/86> and <http://seclists.org/fulldisclosure/2015/Dec/121> plus <http://home.arcor.de/skanthak/sentinel.html> and the still unfinished <http://home.arcor.de/skanthak/!execute.html> for more details and why executable

[FD] Executable installers are vulnerable^WEVIL (case 13): ESET NOD32 antivirus installer allows remote code execution with escalation of privilege

lt;http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.google.de/books?isbn=1437914926>

[FD] Executable installers are vulnerable^WEVIL (case 15): F-SecureOnlineScanner.exe allows arbitrary (remote) code execution and escalation of privilege

ed a security advisory <https://www.f-secure.com/en/web/labs_global/fsc-2015-4> and made an updated version of their online scanner available on <https://www.f-secure.com/en/web/home_global/online-scanner> CAVEAT: F-Secure's fix works only on Windows Vista and newer versions; th

Re: [FD] Executable installers are vulnerable^WEVIL (case 15): F-SecureOnlineScanner.exe allows arbitrary (remote) code execution and escalation of privilege

"Shawn McMahon" <sybergh...@gmail.com> wrote: > On Wed, Dec 23, 2015 at 7:13 AM, Stefan Kanthak <stefan.kant...@nexgo.de> > wrote: > >> Hi @ll, >> >> F-Secure's online virus scanner F-SecureOnlineScanner.exe, available >> via <https://www

Re: [FD] Executable installers are vulnerable^WEVIL (case 20): TrueCrypt's installers allow arbitrary (remote) code execution and escalation of privilege

"Sarah Allen" wrote: > TrueCrypt ceased development back in 2014. Which but does not mean/imply that everybody abandons TrueCrypt. > Please refer to the below link to migrate to an alternative > (BitLocker) from TrueCrypt. > http://truecrypt.sourceforge.net/ STOP

[FD] Defense in depth -- the Microsoft way (part 40): seven+ year old "blended" threat still alive and kicking

ain! NOT! Mitigation(s): ~~ Deny execution in the "%USERPROFILE%" of every user plus "%ALLUSERSPROFILE%" alias "%ProgramData%" * via the inheritable NTFS ACE (D;OIIO;WP;;;WD) meaning "deny execution of files in this directory and below for everyo

[FD] [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers

nerable executable installers! PWNED! Mitigation(s): ~~ 0. don't use executable installers. DUMP THEM, NOW! 1. see <http://home.arcor.de/skanthak/!execute.html> as well as <http://home.arcor.de/skanthak/SAFER.html>. 2. stay away from Mozilla's vulnerable instal

[FD] [CVE-2016-1014] Escalation of privilege via executable (un)installers of Flash Player

web site and save them in your "Downloads" directory; 3. run the (un)installers downloaded in step 2 and notice the message boxes displayed from the DLLs placed in step 1. PWNED! JFTR: since the (un)installers are 32-bit programs and (un)install both the 32-bit and 64-bit versio

[FD] [CVE-2016-0014] Executable installers are vulnerable^WEVIL (case 1): Microsoft's IExpress resp. WExtract, SFXCab, BoxStub, ...

t; alias %ProgramData%" and "%PUBLIC%": Windows doesn't place executables in these directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_file

Re: [FD] Executable installers are vulnerable^WEVIL (case 20): TrueCrypt's installers allow arbitrary (remote) code execution and escalation of privilege

"Michel Arboi" <michel.ar...@gmail.com> wrote: > On 11 January 2016 at 15:37, Stefan Kanthak <stefan.kant...@nexgo.de> wrote: >> Which but does not mean/imply that everybody abandons TrueCrypt. > > The project has been abruptly killed by the developers wit

[FD] Defense in depth -- the Microsoft way (part 38): does Microsoft follow their own security guidance/advisories?

Mitigation: ~~~ use SAFER alias Software Restriction Policies and deny execution everywhere except %SystemRoot% and below and %ProgramFiles% and below. See <http://home.arcor.de/skanthak/SAFER.html> and/or <http://mechbgon.com/srp/index.html> for ins

[FD] [CVE-2016-0602, CVE-2016-0603] Executable installers are vulnerable^WEVIL (case 24): Oracle Java 6/7/8 SE and VirtualBox

ork/topics/security/cpujan2016-2367955.html> stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 25): WinRAR's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege

ution of the DLLs therefore results in an escalation of privilege! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://seclists.org/fulldisclosure/2015/Dec/121> for more details. RARLabs publ

[FD] Executable installers are vulnerable^WEVIL (case 23): WinImage's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege

rary/ms682586.aspx> plus <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>: | To ensure secure loading of libraries | * Use proper DLL search order. | * Always specify the fully qualified path when the library location is ~~ | constant. regards Stefan K

[FD] Executable installers are vulnerable^WEVIL (case 4): InstallShield's wrapper and setup.exe

uot;: Windows doesn't place executables in these directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_wh

[FD] Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege

tp://seclists.org/fulldisclosure/2015/Dec/33> and <http://seclists.org/fulldisclosure/2015/Dec/86> as well as <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S err

Re: [FD] Windows Mail Find People DLL side loading vulnerability

"Securify B.V." wrote: > > Windows Mail Find People DLL side loading vulnerability > > Yorick Koster, September 2015 [...] > - CVE-2016-0100 > -

[FD] Executable installers are vulnerable^WEVIL (case 29): putty-0.66-installer.exe allowa arbitrary (remote) code execution WITH escalation of privilege

t;http://seclists.org/fulldisclosure/2015/Dec/32> plus <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S error! stay tuned Stefan Kanthak Timeline: ~ 2015-12-24se

[FD] Executable installers are vulnerable^WEVIL (case 33): GData's installers allow escalation of privilege

lp ntmarta ntshrui cscapi slc windowscodecs apphelp mpr userenv schannel credssp secur32 gpapi samcli) Do MkLink /H "%TEMP%\{1C2DF59B-0172-4ECB-9A25-7597A4A26A96}\%%!.dll" "%~dpn0.dll" --- EOF --- 4. run the batch script per double-click: it starts the downloaded

[FD] Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream

ns of this vulnerable executable installer for Firefox and Firefox ESR. See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> why you should NEVER name any executable (installer) setup.exe! stay tuned Stefan Kanthak PS: Mozilla fixed the same vulnerabilities in their executable self-

[FD] Executable installers are vulnerable^WEVIL (case 37): eclipse-inst-win*.exe vulnerable to DLL redirection and manifest hijacking

to your own host with UNC paths to any host reachable from your network where you placed some malicious DLLs to get pwned instead. 5. Execute the downloaded installers. PWNED! 6. Add the element from poc#5 to achieve remote code execution with (user-assisted) escalation of privilege. 7. Execute the downloaded installers. PWNED²! stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 42): Sysinternals utilities load and execute rogue DLLs from %TEMP%

(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak [*]

[FD] [CVE-2016-1014, CVE-2016-4247] Executable installers are vulnerable^WEVIL (case 35): Adobe's Flash Player (un)installers

ey load(ed) and execute(d) later with elevated privileges. An unprivileged user can/could overwrite both files between creation and execution and gain elevation of privilege. See <https://cwe.mitre.org/data/definitions/379.html> for this type of well-known and well-documented vulnerability! s

[FD] Executable installers are vulnerable^WEVIL (case 34): Microsoft's vs-community-*.exe susceptible to DLL hijacking

brary/security/MS16-041> and <https://www.securify.nl/advisory/SFY20160201/_net_framework_4_6_allows_side_loading_of_windows_api_set_dll.html> for a similar vulnerability. stay tuned Stefan Kanthak Timeline: ~ 2016-06-01sent vulnerability report to vendor plus US-CERT

[FD] Executable installers are vulnerable^WEVIL (case 39): MalwareBytes' "junkware removal tool" allows escalation of privilege

sage boxes displayed from the *.COM. PWNED! Mitigations: * Don't use executable installers! * Don't use crapware which runs executables from unsafe directories like %TEMP%! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use <https://msdn.mic

[FD] Executable installers are vulnerable^WEVIL (case 47): Heimdal Security's SetupLauncher vulnerable to DLL hijacking

ml> or <http://home.arcor.de/skanthak/SAFER.html> alias <https://skanthak.homepage.t-online.de/SAFER.html> for more information. * Stay FAR away from so-called "security" products! See (for example) <http://robert.ocallahan.org/2017/01/disable-your-antivirus-software

Re: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution

arcor.de/skanthak/verifier.html> alias <https://skanthak.homepage.t-online.de/verifier.html> JFTR: <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> was referred in <http://seclists.org/bugtraq/2016/Jan/105> In short: setup.exe lets Windows load some app-compat shims.

[FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution

information. * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories&q

[FD] "long" filenames mishandled by Fujitsu's ScanSnap software

n.microsoft.com/en-us/library/ms682425.aspx#Security_Remarks> JFTR: Microsoft introduced "long" filenames more that 20 years ago. Stay away from the crapware shipped with Fujitsu's scanners! stay tuned Stefan Kanthak Timeline: ~ 2017-01-28vulnerability report sent to vendor

[FD] Executable installers are vulnerable^WEVIL (case 40): Aviras' full package installers allow escalation of privilege

sage boxes displayed from the DLLs and EXE placed in "%TEMP%\RarSFX0\" by POC.CMD PWNED! Mitigations: * Don't use executable installers! NEVER! * Don't use crapware which runs executables from unsafe directories like %TEMP%! * Add an ACE "(D;OIIO;WP;;;WD)" to

[FD] Defense in depth -- the Microsoft way (part 43): restricting the DLL load order fails

rol\Session Manager\KnownDLLs] "Version"="Version.Dll" * embed the following "application manifest" in your executables: CAVEAT: the loadFrom attribute of the file element is not documented! stay tuned Stefan Kanthak Timeline: ~ 2016-09-0

[FD] Defense in depth -- the Microsoft way (part 44): complete failure of Windows Update

84 860 dec Setup SelfUpdate handler update NOT required: Current version: 7.6.7600.320, required version: 7.6.7600.320 See <http://home.arcor.de/skanthak/slipstream.html> for instructions for a fix and some more information! stay tuned Stefan Kanthak [°] since this happens during the

[FD] Defense in depth -- the Microsoft way (part 45): filesystem redirection fails to redirect the application directory

bit forwarder DLLs are loaded in the 64-bit process and that their exports/forwards are processed properly! Their DllMain() extry points are but NOT called (if they were you'd see some message boxes)! stay tuned Stefan Kanthak PS: the test whether 64-bit forwarder DLLs placed in %windir% are

[FD] Executable installers are vulnerable^WEVIL (case 41): EmsiSoft's Emergency Kit allows elevation of privilege for everybody

ry" (which is writable for everyone) too. And one more: 6. the OpenSSL libraries shipped are from version 1.0.2d and have multiple vulnerabilities which have beed fixed in version 1.0.2j. stay tuned Stefan Kanthak Timeline: ~ 2016-08-29vulnerability report sent to vendor

[FD] Executable installers are vulnerable^WEVIL (case 44): SoftMaker's FlexiPDF installers allow escalation of privilege

during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of

[FD] Executable installers are vulnerable^WEVIL (case 43): SoftMaker's Office service pack installers allow escalation of privilege

ted during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny executi

[FD] Executable installers are vulnerable^WEVIL (case 42): SoftMaker's FreeOffice installer allows escalation of privilege

OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak

[FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups"

} // the return value is only used for PROCESS_CREATION_QUERY, // all other conditions are ignored return ntStatus; } --- EOF --- stay tuned Stefan Kanthak Timeline: ~ 2017-03-10sent vulnerability report to vendor 2017-03-10reply from vendor: MSRC case 37727 opened 20

[FD] Defense in depth -- the Microsoft way (part 46): no checks for common path handling errors in "Application Verifier"

an "Application Verifier Provider" which performs the missing checks. stay tuned Stefan Kanthak [°] introduced with Windows XP some 16 years ago, available via <https://www.microsoft.com/en-us/download/details.aspx?id=20028> as stand-alone package then, later distributed

Re: [FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups"

.html>, read it and get the prebuilt DLLs plus their .INF setup script, packaged in a .CAB archive. enjoy Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are defective^WEVIL (case 2): innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe

the VERSIONINFO resource is 0x, despite the english only strings "This installation was built with Inno Setup." in "Comments", "Inno Setup Setup" in "FileDescription" etc. 7. the timestamp in the PE header of innosetup-5.5.9.exe is 0x2A425E19, which

[FD] Executable installers are defective^WEVIL (case 1): putty-0.68-installer.exe

;This installation was built with Inno Setup." in "Comments", "PuTTY Setup" in "FileDescription" and "Release 0.68" in "FileVersion". 7. the timestamp in the PE header of putty-0.68-installer.exe is 0x2A425E19, which is "

[FD] Executable installers are vulnerable^WEVIL (case 49): 1Password-4.6.1.619.exe allows arbitrary code execution

" in the NTFS file system: allow execution only below %SystemRoot% and %ProgramFiles% and deny it everywhere else. See <http://mechbgon.com/srp/index.html> or <http://home.arcor.de/skanthak/SAFER.html> alias <https://skanthak.homepage.t-online.de/SAFER.html> f

[FD] Defense in depth -- the Microsoft way (part 48): privilege escalation for dummies -- they didn't make SUCH a stupid blunder?

processes-with-uac-on-windows-vista-sp1/ > <https://blogs.msdn.microsoft.com/cjacks/2008/07/22/per-user-com-registrations-and-elevated-processes-with-uac-on-windows-vista-sp1- part-2-ole-automation/> Mitigations: ~~~~ * dump .NET Framework and all applications that use it! * dump UAC! *

[FD] Executable installers are vulnerable^WEVIL (case 53): escalation of privilege with QNAP's installers for Windows

ing "deny execution of files in this directory and all subdirectories" to the NTFS ACL of every %TEMP% directory! JFTR: when execution in %TEMP% is denied, the defective installer display a dialog box with the blatant lie "QSync is running. Click [OK] to

[FD] Executable installers are vulnerable^WEVIL (case 51): escalation of privilege with Microsoft's Azure Recovery Services Agent

ecurity/2269637> and <https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> * also see <https://skanthak.homepage.t-online.de/verifier.html> and <https://skanthak.homepage.t-online.de/!execute.html> stay tuned Stefan Kanthak Timeline: ~ 2017-05-1

[FD] [CVE-2017-5688] Executable installers are vulnerable^WEVIL (case 52): Intel installation framework allows arbitrary code execution with escalation of privilege

/sentinel.html>, then download <https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL> and save it in an arbitrary directory; 2. save the following batch script in the same directory: --- IIF.CMD --- :WAIT @If Not Exist "%TEMP%\IIF.tmp&quo

[FD] Executable installers are vulnerable^Wdefective^WEVIL (case 49): xampp-win32-7.1.1-0-VC14-installer.exe allows escalation of privilege

port Directory Table ... | The import directory table consists of an array of import directory | entries, one entry for each DLL to which the image refers. Mitigations: * Don't build executable installers, they are almost always vulnerable! Create native installation packages

[FD] Executable installers are vulnerable^WEVIL (case 54): escalation of privilege with PostgresSQL installers for Windows

F specification: | Import Directory Table ... | The import directory table consists of an array of import directory | entries, one entry for each DLL to which the image refers. Mitigations: ~~~~ * Don't build executable installers, they are almost always vulnerable! Create native inst

[FD] R.I.P. Kaspersky Privacy Cleaner: withdrawn due to multiple begiinner's errors which allow escalation of privilege

uses the same insecure procedure ~ Once installed, Kaspersky Privacy Cleaner checks for updates just like CleanerSetup.exe via insecure channel, downloads them via insecure channel, performs no integrity checks, ... stay tuned Ste

[FD] AMD's buddies for Intel's FDIV bug: _llrem and _ullrem yield wrong remainders!

this guide, available for example from <http://www.ii.uib.no/~osvik/amd_opt/22007k.pdf> or <https://en.wikichip.org/w/images/5/5f/AMD_Athlon_Processor_x86_Code_Optimization_Guide.pdf>, show this bug only in the _llrem routine! stay tuned Stefan Kanthak ___

[FD] [ADV170017] Defense in depth -- the Microsoft way (part 54): escalation of privilege during installation of Microsoft Office 20xy

(via <http://www.office.com/backup>) from <https://go.microsoft.com/fwlink/p/?LinkID=403713> 3. notice the message boxes displayed from the DLLs saved in %TEMP%! stay tuned Stefan Kanthak PS: be sure to read <https://portal.msrc.microsoft.com/en-US/security-guidance/a

[FD] Defense in depth -- the Microsoft way (part 49): fun with application manifests

ERROR_SXS_CANT_GEN_ACTCTX Replacing US-ASCII with UTF-7, ISO-8859-1, Windows-1252 or any other valid XML encoding except UTF-8 yields the same result. stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 50); Windows Update shoves unsafe crap as "important" updates to unsuspecting users

dword:0001 "BlockNetFramework461"=dword:0001 "BlockNetFramework462"=dword:0001 "BlockNetFramework47"=dword:0001 "BlockNetFramework471"=dword:0001 --- EOF --- To block earlier versions, see the MSKB articles <https://support.microsoft.com/

[FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

logs.technet.microsoft.com/srd/2014/05/13/load-library-safely/> ... which their own developers and their QA but seem to ignore! See <https://bugs.chromium.org/p/project-zero/issues/detail?id=440> for the same vulnerability in another Microsoft product! stay tuned Stefan Kanthak Timeline:

  1   2   >