[FD] Defense in depth -- the Microsoft way (part 70): CVE-2014-0315 alias MS14-019 revisited

2020-07-24 Thread Stefan Kanthak
ion of Windows XP or any newer version, start the command processor CMD.EXE and run the following commands: SET COMSPEC=%SystemRoot%\System32\Reg.exe ASSOC | CALL ECHO | FTYPE SET | More.com ... Why does the command processor execute the EXTERNAL command specified in the environment variable COMSPEC

[FD] Defense in depth -- the Microsoft way (part 69): security remarks are as futile as the qUACkery!

2020-06-05 Thread Stefan Kanthak
tware\Microsoft\Windows\CurrentVersion\App Paths] when running elevated with a split token on older versions of Windows! stay tuned and for away from software riddled with beginner's errors Stefan Kanthak PS: compare the behaviour of ShellExecute() to that of COM, as documented in <https://m

[FD] Defense in depth -- the Microsoft way (part 68): qUACkery is futile!

2020-06-05 Thread Stefan Kanthak
e\malware.exe" /F REG.EXE ADD "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /V "AutoRun" /T REG_SZ "ERASE /F /Q /S ""%USERPROFILE%""" /F stay tuned, and far away from "protected" accounts and split tokens! Stefan Kanth

[FD] Defense in depth -- the Microsoft way (part 67): we maintain 20 year old bugs since we don't care about our customers safety and security

2020-04-14 Thread Stefan Kanthak
rrentControlSet\Control\SessionManager\Environment" /V TEMP /T REG_EXPAND_SZ /D ^%USERPROFILE^%\AppData\Local\Temp /F REG.exe ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment" /V TMP /T REG_EXPAND_SZ /D ^%USERPROFILE^%\AppData\Local\Temp /F

[FD] Defense in depth -- the Microsoft way (part 66): attachment manager allows to load arbitrary DLLs

2020-03-31 Thread Stefan Kanthak
installations of Windows XP and newer versions of Windows. Mitigation: ~~~ Use AppLocker or SAFER alias Software Restriction Policies: see <https://skanthak.homepage.t-online.de/SAFER.html> stay tuned, and NEVER use Windows without SAFER or AppLocker Stefan Kanthak __

Re: [FD] Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs

2020-03-31 Thread Stefan Kanthak
OfficeAntiVirus interface to initiate an "on-demand" scan; "realtime" scans initiated via the file system filter driver of the anti-malware platform are NOT affected. regards Stefan > On 2020-03-27 15:27, Stefan Kanthak wrote: >> in September 2017, Microsoft relocate

[FD] Defense in depth -- the Microsoft way (part 65): unsafe, easy to rediect paths all over

2020-03-27 Thread Stefan Kanthak
tility process and defeating your design! | Utility processes are also more restricted than the browser process | generally so this is another win in addition to the process decoupling. OUCH³! There is NO decoupled process involved! The demonstration runs an arbitrary DLL in the process of a web browser,

[FD] Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs

2020-03-27 Thread Stefan Kanthak
ocess and defeats your design! | Utility processes are also more restricted than the browser process | generally so this is another win in addition to the process decoupling. OUCH³! There is NO decoupled process involved! The demonstration runs an arbitrary DLL in the process of any web browser, any mail/news client, any instant messenger and file explorer as well, credentials of the current user, UNRESTRICTED. | As such, we are closing this case. Mitigation: ~~~ Use AppLocker or SAFER alias Software Restriction Policies: see <https://skanthak.homepage.t-online.de/SAFER.html> stay tuned, and far away from so-called "security software" Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 63): program defaults, settings, policies ... and (un)trustworthy computing

2020-03-13 Thread Stefan Kanthak
HKEY_LOCAL_MACHINE\SOFTWARE\Policies /S 2. For every policy registry entry found check that a corresponding setting registry entry is evaluated by the program or component which uses the policy registry entry, and whether this setting registry entry eventually exists. stay tuned, and far a

Re: [FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components

2020-03-03 Thread Stefan Kanthak
gt; to know what the dependencies on these are and for whom is it convenient > that they are always there. That's just the icing on the cake. stay tuned Stefan > -Original Message- > From: Fulldisclosure On Behalf Of > Stefan Kanthak > Sent: Monday, February 24, 2020 09:06 > To

[FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components

2020-02-28 Thread Stefan Kanthak
y) and CRT applications too! Additionally see the MSKB article <https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads> which does NOT even list the MSVCRT 2005 any more! stay tuned, and FAR AWAY from untrustworthy and insecure software like .NET

[FD] Executable installers are vulnerable^WEVIL (case 58): Intel® Processor Identification Utility - Windows* Version - arbitrary code execution with escalation of privilege

2020-01-31 Thread Stefan Kanthak
Windows Installer due to non-executable DLLs written in the %TEMP% directory! Timeline: = 2019-07-17first vulnerability report sent to vendor 2019-07-18Intel's PSIRT opens case #2208018370 2019-07-28Intel's PSIRT confirms

[FD] [CVE-2019-20358] CVE-2019-9491 in Trend Micro Anti-Threat Toolkit (ATTK) was NOT properly FIXED

2020-01-31 Thread Stefan Kanthak
re.org/data/definitions/377.html>, <https://cwe.mitre.org/data/definitions/379.html> and <https://capec.mitre.org/data/definitions/29.html> stay tuned, and FAR AWAY from so-called security products: their "security" is typically worse than that of the products they claim

[FD] Defense in depth -- the Microsoft way (part 61): security features are built to fail (or documented wrong)

2020-01-31 Thread Stefan Kanthak
000135 alias STATUS_DLL_NOT_FOUND, which is the expected behaviour if /DEPENDENTLOADFLAG:0x800 would work as documented and limit the DLL search path to %SystemRoot%\System32\ stay tuned, and don't trust unverified or incomplete documentation Stefan Kanthak _

[FD] Mozilla's MSI installers: FUBAR (that's spelled "fucked-up beyond all repair")

2019-07-09 Thread Stefan Kanthak
ser account, who can tamper with the extracted files in any way, then runs (here: tries to run) the extracted "%TEMP%\7zS<8 hex digits>\setup.exe" elevated. stay tuned, and FAR away from Mozilla's crap! Stefan Kanthak ___ Sent t

[FD] Defense in depth -- the Microsoft way (part 60): same old sins and incompetence!

2019-02-26 Thread Stefan Kanthak
etup, every UNPRIVILEGED (non-elevated) program running under this account can write to %TEMP%\IXP000.tmp, for example a rogue MSI.dll, and exercise again an "escalation of privilege". GAME OVER, third time! stay tuned (and far away from so-called "security solutions") Stefan Ka

[FD] Defense in depth -- the Microsoft way (part 59): we only fix every other vulnerability

2019-01-18 Thread Stefan Kanthak
printed output. 8. run the command lines to register VBE7.dll, MSOSIP.DLL and MSOSIPX.dll: notice the message boxes displayed from the previously built DLLs! REGSVR32.exe "%ProgramFiles%\vbe7.dll" REGSVR32.exe "%ProgramFiles%\msosip.dll" REGSVR32.exe "%Pro

[FD] Escalation of privilege with Intel Rapid Storage User Interface

2018-11-20 Thread Stefan Kanthak
ctice STRICT privilege separation: use your privileged "Administrator" account (especially the account created during Windows setup) ONLY for administrative tasks, and COMPLETELY separate unprivileged user accounts, with elevation requests DISABLED, for your everyda

[FD] [CVE-2018-3635] Executable installers are vulnerable^WEVIL (case 59): arbitrary code execution WITH escalation of privilege via Intel Rapid Storage Technology User Interface and Driver

2018-11-16 Thread Stefan Kanthak
~ 1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning "deny execution of files in this directory for everyone, inheritable to all subdirectories" to the (user's) %TEMP% directory. NOTE: this does NOT need administrative privileges! 2

[FD] Executable installers are vulnerable^WEVIL (case 57): arbitrary code execution WITH escalation of privilege viaIntel Extreme Tuning Utility

2018-09-28 Thread Stefan Kanthak
irectories" to the (user's) %TEMP% directory. NOTE: this does NOT need administrative privileges! 2. execute XTU-Setup.exe: notice the message box displaying the failure of the installation about 3/4 way through. STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE! stay tuned Stefan

[FD] Defense in depth -- the Microsoft way (part 57): installation of security updates fails on Windows Embedded POSReady 2009

2018-09-04 Thread Stefan Kanthak
. 01.09.2018 23:18 .. 01.09.2018 23:18 SP3QFE 01.09.2018 23:18 update 01.02.2018 23:2818.808 spmsg.dll 01.02.2018 23:28 234.872 spuninst.exe

[FD] Defense in depth -- the Microsoft way (part 57): all the latest MSVCRT installers allow escalation of privilege

2018-08-21 Thread Stefan Kanthak
ied by the second batch script, executing their entry point routines with ELEVATED rights: GAME OVER! Mitigation: ~~~ * DONT use executable installers! * NEVER run executable installers in unsafe environments! Fix: * DUMP executable installers, use *.MSI or *.INF plus *.CAB! stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 56): arbitrary code execution WITH escalation of privilege via rufus*.exe

2018-08-03 Thread Stefan Kanthak
mplete failure of this crap. Demonstration/proof of concept #2c: --- 1. Add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of files in this directory for everyone, inheritable to files in subdirectories" to the current working d

[FD] Executable installers are vulnerable^WEVIL (case 55): escalation of privilege with VMware Player 12.5.9

2018-08-03 Thread Stefan Kanthak
(especially the account created during Windows setup) ONLY for administrative tasks, and COMPLETELY separate unprivileged user accounts, with elevation requests DISABLED. for your daily/regular work. stay tuned Stefan Kanthak PS: also see <http://seclists.org/bugtraq/2018/Aug/0>

[FD] CVE-2016-7085 NOT fixed in VMware-player-12.5.9-7535481.exe

2018-08-03 Thread Stefan Kanthak
a minefield of 32-bit forwarder DLLs in your "Downloads" directory; 2. download <https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>, and save it in your "Downloads" directory; 3. execute VMware-player-12.5.9-7535481.exe:

[FD] Defense in depth -- the Microsoft way (part 55): new software built with 5.5 year old tool shows 20+ year old vulnerabilities

2018-07-20 Thread Stefan Kanthak
"%USERPROFILE%\Downloads\" or "%TEMP%\" 3. Exercise STRICT privilege separation: use your privileged "Administrator" account (especially the account created during Windows setup) only for administrative tasks, and a COMPLETELY separate unprivileged "standard user" account for your own tasks. stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CVE-2018-3667, CVE-2018-3668] Escalation of priviilege via executable installer of Intel Processor Diagnostic Tool

2018-07-06 Thread Stefan Kanthak
fy their fully qualified pathname! Mitigations: 1. DON'T execute executable self-extractors. 2. NEVER execute executable self-extractors with administrative privileges. 3. extract the payload of the self-extractor with a SAFE and SECURE unzip.exe into a properly protected d

[FD] [ADV170017] Defense in depth -- the Microsoft way (part 54): escalation of privilege during installation of Microsoft Office 20xy

2018-05-08 Thread Stefan Kanthak
(via <http://www.office.com/backup>) from <https://go.microsoft.com/fwlink/p/?LinkID=403713> 3. notice the message boxes displayed from the DLLs saved in %TEMP%! stay tuned Stefan Kanthak PS: be sure to read <https://portal.msrc.microsoft.com/en-US/security-guidance/a

[FD] Defense in depth -- the Microsoft way (part 53): our MSRC doesn't know how Windows handles PATH

2018-04-13 Thread Stefan Kanthak
planting are treated as won't fix. OUCH! The MSRC also ignores the fact that CHDIR "" START is equivalent to adding "" in front of the PATH! JFTR: loading of DLLs from the CWD can be disabled via [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Ma

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

2018-02-27 Thread Stefan Kanthak
t; for my writeup of Skype's and Microsoft's epic failures in this case, including my reply to the false statements of Microsoft's Ellen Kilbourne. Stefan > On Tue, 20 Feb 2018 at 18:31, Stefan Kanthak <stefan.kant...@nexgo.de> > wrote: > >> "Jeffrey Walton" <nol

[FD] Mozilla's executable installers: FUBAR (that's spelled "fucked-up beyond all repair")

2018-02-20 Thread Stefan Kanthak
g/data/definitions/379.html> Fix: Dump those FOREVER defective executable installers for Windows! Provide an .MSI, or an .INF script plus a .CAB. Windows ships since more than 22 years with SetupAPI which uses .INF scripts, and since about 18 years with the Micro

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

2018-02-20 Thread Stefan Kanthak
"Jeffrey Walton" <noloa...@gmail.com> wrote: > On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kant...@nexgo.de> > wrote: [ http://seclists.org/fulldisclosure/2018/Feb/33 ] > Not sure if this is related, but: > https://winbuzzer.com/2018/02/14/m

[FD] Defense in depth -- the Microsoft way (part 52): HTTP used to distribute (security) updates, not HTTPS

2018-02-14 Thread Stefan Kanthak
Despite numerous mails sent to <sec...@microsoft.com> in the last years, and numerous replies "we'll forward this to the product groups", nothing happens at all. stay tuned Stefan Kanthak [*] catalog.update.microsoft.com is redirected to catalog.update.microsoft.com/v7/site

[FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

2018-02-09 Thread Stefan Kanthak
logs.technet.microsoft.com/srd/2014/05/13/load-library-safely/> ... which their own developers and their QA but seem to ignore! See <https://bugs.chromium.org/p/project-zero/issues/detail?id=440> for the same vulnerability in another Microsoft product! stay tuned Stefan Kanthak Timeline:

[FD] Defense in depth -- the Microsoft way (part 50); Windows Update shoves unsafe crap as "important" updates to unsuspecting users

2018-02-06 Thread Stefan Kanthak
dword:0001 "BlockNetFramework461"=dword:0001 "BlockNetFramework462"=dword:0001 "BlockNetFramework47"=dword:0001 "BlockNetFramework471"=dword:0001 --- EOF --- To block earlier versions, see the MSKB articles <https://support.microsoft.com/

[FD] Defense in depth -- the Microsoft way (part 49): fun with application manifests

2018-01-30 Thread Stefan Kanthak
ERROR_SXS_CANT_GEN_ACTCTX Replacing US-ASCII with UTF-7, ISO-8859-1, Windows-1252 or any other valid XML encoding except UTF-8 yields the same result. stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] AMD's buddies for Intel's FDIV bug: _llrem and _ullrem yield wrong remainders!

2017-12-01 Thread Stefan Kanthak
this guide, available for example from <http://www.ii.uib.no/~osvik/amd_opt/22007k.pdf> or <https://en.wikichip.org/w/images/5/5f/AMD_Athlon_Processor_x86_Code_Optimization_Guide.pdf>, show this bug only in the _llrem routine! stay tuned Stefan Kanthak ___

[FD] Executable installers are vulnerable^WEVIL (case 54): escalation of privilege with PostgresSQL installers for Windows

2017-10-10 Thread Stefan Kanthak
F specification: | Import Directory Table ... | The import directory table consists of an array of import directory | entries, one entry for each DLL to which the image refers. Mitigations: ~~~~ * Don't build executable installers, they are almost always vulnerable! Create native inst

[FD] R.I.P. Kaspersky Privacy Cleaner: withdrawn due to multiple begiinner's errors which allow escalation of privilege

2017-09-11 Thread Stefan Kanthak
uses the same insecure procedure ~ Once installed, Kaspersky Privacy Cleaner checks for updates just like CleanerSetup.exe via insecure channel, downloads them via insecure channel, performs no integrity checks, ... stay tuned Ste

[FD] Executable installers are vulnerable^WEVIL (case 53): escalation of privilege with QNAP's installers for Windows

2017-08-18 Thread Stefan Kanthak
ing "deny execution of files in this directory and all subdirectories" to the NTFS ACL of every %TEMP% directory! JFTR: when execution in %TEMP% is denied, the defective installer display a dialog box with the blatant lie "QSync is running. Click [OK] to

[FD] Defense in depth -- the Microsoft way (part 48): privilege escalation for dummies -- they didn't make SUCH a stupid blunder?

2017-07-07 Thread Stefan Kanthak
processes-with-uac-on-windows-vista-sp1/ > <https://blogs.msdn.microsoft.com/cjacks/2008/07/22/per-user-com-registrations-and-elevated-processes-with-uac-on-windows-vista-sp1- part-2-ole-automation/> Mitigations: ~~~~ * dump .NET Framework and all applications that use it! * dump UAC! *

[FD] [CVE-2017-5688] Executable installers are vulnerable^WEVIL (case 52): Intel installation framework allows arbitrary code execution with escalation of privilege

2017-06-02 Thread Stefan Kanthak
/sentinel.html>, then download <https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL> and save it in an arbitrary directory; 2. save the following batch script in the same directory: --- IIF.CMD --- :WAIT @If Not Exist "%TEMP%\IIF.tmp&quo

[FD] Executable installers are vulnerable^WEVIL (case 51): escalation of privilege with Microsoft's Azure Recovery Services Agent

2017-05-30 Thread Stefan Kanthak
ecurity/2269637> and <https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> * also see <https://skanthak.homepage.t-online.de/verifier.html> and <https://skanthak.homepage.t-online.de/!execute.html> stay tuned Stefan Kanthak Timeline: ~ 2017-05-1

[FD] Executable installers are vulnerable^Wdefective^WEVIL (case 49): xampp-win32-7.1.1-0-VC14-installer.exe allows escalation of privilege

2017-05-05 Thread Stefan Kanthak
port Directory Table ... | The import directory table consists of an array of import directory | entries, one entry for each DLL to which the image refers. Mitigations: * Don't build executable installers, they are almost always vulnerable! Create native installation packages

[FD] Executable installers are vulnerable^WEVIL (case 49): 1Password-4.6.1.619.exe allows arbitrary code execution

2017-04-07 Thread Stefan Kanthak
" in the NTFS file system: allow execution only below %SystemRoot% and %ProgramFiles% and deny it everywhere else. See <http://mechbgon.com/srp/index.html> or <http://home.arcor.de/skanthak/SAFER.html> alias <https://skanthak.homepage.t-online.de/SAFER.html> f

Re: [FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups"

2017-03-28 Thread Stefan Kanthak
.html>, read it and get the prebuilt DLLs plus their .INF setup script, packaged in a .CAB archive. enjoy Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups"

2017-03-24 Thread Stefan Kanthak
} // the return value is only used for PROCESS_CREATION_QUERY, // all other conditions are ignored return ntStatus; } --- EOF --- stay tuned Stefan Kanthak Timeline: ~ 2017-03-10sent vulnerability report to vendor 2017-03-10reply from vendor: MSRC case 37727 opened 20

[FD] Defense in depth -- the Microsoft way (part 46): no checks for common path handling errors in "Application Verifier"

2017-03-24 Thread Stefan Kanthak
an "Application Verifier Provider" which performs the missing checks. stay tuned Stefan Kanthak [°] introduced with Windows XP some 16 years ago, available via <https://www.microsoft.com/en-us/download/details.aspx?id=20028> as stand-alone package then, later distributed

[FD] Executable installers are defective^WEVIL (case 2): innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe

2017-03-06 Thread Stefan Kanthak
the VERSIONINFO resource is 0x, despite the english only strings "This installation was built with Inno Setup." in "Comments", "Inno Setup Setup" in "FileDescription" etc. 7. the timestamp in the PE header of innosetup-5.5.9.exe is 0x2A425E19, which

[FD] Executable installers are defective^WEVIL (case 1): putty-0.68-installer.exe

2017-03-05 Thread Stefan Kanthak
;This installation was built with Inno Setup." in "Comments", "PuTTY Setup" in "FileDescription" and "Release 0.68" in "FileVersion". 7. the timestamp in the PE header of putty-0.68-installer.exe is 0x2A425E19, which is "

[FD] "long" filenames mishandled by Fujitsu's ScanSnap software

2017-02-16 Thread Stefan Kanthak
n.microsoft.com/en-us/library/ms682425.aspx#Security_Remarks> JFTR: Microsoft introduced "long" filenames more that 20 years ago. Stay away from the crapware shipped with Fujitsu's scanners! stay tuned Stefan Kanthak Timeline: ~ 2017-01-28vulnerability report sent to vendor

[FD] Executable installers are vulnerable^WEVIL (case 47): Heimdal Security's SetupLauncher vulnerable to DLL hijacking

2017-01-31 Thread Stefan Kanthak
ml> or <http://home.arcor.de/skanthak/SAFER.html> alias <https://skanthak.homepage.t-online.de/SAFER.html> for more information. * Stay FAR away from so-called "security" products! See (for example) <http://robert.ocallahan.org/2017/01/disable-your-antivirus-software

Re: [FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution

2017-01-24 Thread Stefan Kanthak
arcor.de/skanthak/verifier.html> alias <https://skanthak.homepage.t-online.de/verifier.html> JFTR: <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> was referred in <http://seclists.org/bugtraq/2016/Jan/105> In short: setup.exe lets Windows load some app-compat shims.

[FD] Executable installers are vulnerable^WEVIL (case 46): Pelles C allows arbitrary code execution

2017-01-22 Thread Stefan Kanthak
information. * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories&q

[FD] Executable installers are vulnerable^WEVIL (case 44): SoftMaker's FlexiPDF installers allow escalation of privilege

2017-01-15 Thread Stefan Kanthak
during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of

[FD] Executable installers are vulnerable^WEVIL (case 45): ReadPDF's installers allow escalation of privilege

2017-01-03 Thread Stefan Kanthak
TinyPDF /r LPT3: (see <https://technet.microsoft.com/en-us/library/ee624057.aspx>) * DISM.exe /Image: /Add-Driver /Driver:"\TINYPDF.INF" ... (see <https://technet.microsoft.com/en-us/library/dd744355.aspx>) * DPInst.exe ... which I but DON'T recommend! (see <https://msdn

[FD] Executable installers are vulnerable^WEVIL (case 43): SoftMaker's Office service pack installers allow escalation of privilege

2017-01-03 Thread Stefan Kanthak
ted during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny executi

[FD] Executable installers are vulnerable^WEVIL (case 42): SoftMaker's FreeOffice installer allows escalation of privilege

2016-12-29 Thread Stefan Kanthak
OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak

[FD] Executable installers are vulnerable^WEVIL (case 41): EmsiSoft's Emergency Kit allows elevation of privilege for everybody

2016-11-18 Thread Stefan Kanthak
ry" (which is writable for everyone) too. And one more: 6. the OpenSSL libraries shipped are from version 1.0.2d and have multiple vulnerabilities which have beed fixed in version 1.0.2j. stay tuned Stefan Kanthak Timeline: ~ 2016-08-29vulnerability report sent to vendor

[FD] Defense in depth -- the Microsoft way (part 45): filesystem redirection fails to redirect the application directory

2016-10-20 Thread Stefan Kanthak
bit forwarder DLLs are loaded in the 64-bit process and that their exports/forwards are processed properly! Their DllMain() extry points are but NOT called (if they were you'd see some message boxes)! stay tuned Stefan Kanthak PS: the test whether 64-bit forwarder DLLs placed in %windir% are

[FD] Defense in depth -- the Microsoft way (part 44): complete failure of Windows Update

2016-10-19 Thread Stefan Kanthak
84 860 dec Setup SelfUpdate handler update NOT required: Current version: 7.6.7600.320, required version: 7.6.7600.320 See <http://home.arcor.de/skanthak/slipstream.html> for instructions for a fix and some more information! stay tuned Stefan Kanthak [°] since this happens during the

[FD] Defense in depth -- the Microsoft way (part 43): restricting the DLL load order fails

2016-09-08 Thread Stefan Kanthak
rol\Session Manager\KnownDLLs] "Version"="Version.Dll" * embed the following "application manifest" in your executables: CAVEAT: the loadFrom attribute of the file element is not documented! stay tuned Stefan Kanthak Timeline: ~ 2016-09-0

[FD] Executable installers are vulnerable^WEVIL (case 40): Aviras' full package installers allow escalation of privilege

2016-08-31 Thread Stefan Kanthak
sage boxes displayed from the DLLs and EXE placed in "%TEMP%\RarSFX0\" by POC.CMD PWNED! Mitigations: * Don't use executable installers! NEVER! * Don't use crapware which runs executables from unsafe directories like %TEMP%! * Add an ACE "(D;OIIO;WP;;;WD)" to

[FD] Executable installers are vulnerable^WEVIL (case 39): MalwareBytes' "junkware removal tool" allows escalation of privilege

2016-08-16 Thread Stefan Kanthak
sage boxes displayed from the *.COM. PWNED! Mitigations: * Don't use executable installers! * Don't use crapware which runs executables from unsafe directories like %TEMP%! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use <https://msdn.mic

[FD] Defense in depth -- the Microsoft way (part 42): Sysinternals utilities load and execute rogue DLLs from %TEMP%

2016-08-12 Thread Stefan Kanthak
(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak [*]

[FD] Executable installers are vulnerable^WEVIL (case 37): eclipse-inst-win*.exe vulnerable to DLL redirection and manifest hijacking

2016-07-25 Thread Stefan Kanthak
to your own host with UNC paths to any host reachable from your network where you placed some malicious DLLs to get pwned instead. 5. Execute the downloaded installers. PWNED! 6. Add the element from poc#5 to achieve remote code execution with (user-assisted) escalation of privilege. 7. Execute the downloaded installers. PWNED²! stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CVE-2016-1014, CVE-2016-4247] Executable installers are vulnerable^WEVIL (case 35): Adobe's Flash Player (un)installers

2016-07-12 Thread Stefan Kanthak
ey load(ed) and execute(d) later with elevated privileges. An unprivileged user can/could overwrite both files between creation and execution and gain elevation of privilege. See <https://cwe.mitre.org/data/definitions/379.html> for this type of well-known and well-documented vulnerability! s

[FD] Executable installers are vulnerable^WEVIL (case 34): Microsoft's vs-community-*.exe susceptible to DLL hijacking

2016-07-06 Thread Stefan Kanthak
brary/security/MS16-041> and <https://www.securify.nl/advisory/SFY20160201/_net_framework_4_6_allows_side_loading_of_windows_api_set_dll.html> for a similar vulnerability. stay tuned Stefan Kanthak Timeline: ~ 2016-06-01sent vulnerability report to vendor plus US-CERT

[FD] [CVE-2016-1014] Escalation of privilege via executable (un)installers of Flash Player

2016-06-18 Thread Stefan Kanthak
web site and save them in your "Downloads" directory; 3. run the (un)installers downloaded in step 2 and notice the message boxes displayed from the DLLs placed in step 1. PWNED! JFTR: since the (un)installers are 32-bit programs and (un)install both the 32-bit and 64-bit versio

[FD] [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers

2016-06-15 Thread Stefan Kanthak
nerable executable installers! PWNED! Mitigation(s): ~~ 0. don't use executable installers. DUMP THEM, NOW! 1. see <http://home.arcor.de/skanthak/!execute.html> as well as <http://home.arcor.de/skanthak/SAFER.html>. 2. stay away from Mozilla's vulnerable instal

[FD] Defense in depth -- the Microsoft way (part 40): seven+ year old "blended" threat still alive and kicking

2016-06-01 Thread Stefan Kanthak
ain! NOT! Mitigation(s): ~~ Deny execution in the "%USERPROFILE%" of every user plus "%ALLUSERSPROFILE%" alias "%ProgramData%" * via the inheritable NTFS ACE (D;OIIO;WP;;;WD) meaning "deny execution of files in this directory and below for everyo

[FD] Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream

2016-05-03 Thread Stefan Kanthak
ns of this vulnerable executable installer for Firefox and Firefox ESR. See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> why you should NEVER name any executable (installer) setup.exe! stay tuned Stefan Kanthak PS: Mozilla fixed the same vulnerabilities in their executable self-

[FD] Executable installers are vulnerable^WEVIL (case 33): GData's installers allow escalation of privilege

2016-04-20 Thread Stefan Kanthak
lp ntmarta ntshrui cscapi slc windowscodecs apphelp mpr userenv schannel credssp secur32 gpapi samcli) Do MkLink /H "%TEMP%\{1C2DF59B-0172-4ECB-9A25-7597A4A26A96}\%%!.dll" "%~dpn0.dll" --- EOF --- 4. run the batch script per double-click: it starts the downloaded

Re: [FD] Windows Mail Find People DLL side loading vulnerability

2016-03-09 Thread Stefan Kanthak
"Securify B.V." wrote: > > Windows Mail Find People DLL side loading vulnerability > > Yorick Koster, September 2015 [...] > - CVE-2016-0100 > -

[FD] Executable installers are vulnerable^WEVIL (case 29): putty-0.66-installer.exe allowa arbitrary (remote) code execution WITH escalation of privilege

2016-03-04 Thread Stefan Kanthak
t;http://seclists.org/fulldisclosure/2015/Dec/32> plus <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S error! stay tuned Stefan Kanthak Timeline: ~ 2015-12-24se

[FD] Executable installers are vulnerable^WEVIL (case 4): InstallShield's wrapper and setup.exe

2016-02-25 Thread Stefan Kanthak
uot;: Windows doesn't place executables in these directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_wh

[FD] Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege

2016-02-25 Thread Stefan Kanthak
tp://seclists.org/fulldisclosure/2015/Dec/33> and <http://seclists.org/fulldisclosure/2015/Dec/86> as well as <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S err

[FD] [CVE-2016-0602, CVE-2016-0603] Executable installers are vulnerable^WEVIL (case 24): Oracle Java 6/7/8 SE and VirtualBox

2016-02-10 Thread Stefan Kanthak
ork/topics/security/cpujan2016-2367955.html> stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 25): WinRAR's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege

2016-02-10 Thread Stefan Kanthak
ution of the DLLs therefore results in an escalation of privilege! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://seclists.org/fulldisclosure/2015/Dec/121> for more details. RARLabs publ

[FD] Executable installers are vulnerable^WEVIL (case 23): WinImage's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege

2016-02-04 Thread Stefan Kanthak
rary/ms682586.aspx> plus <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>: | To ensure secure loading of libraries | * Use proper DLL search order. | * Always specify the fully qualified path when the library location is ~~ | constant. regards Stefan K

[FD] [CVE-2016-0014] Executable installers are vulnerable^WEVIL (case 1): Microsoft's IExpress resp. WExtract, SFXCab, BoxStub, ...

2016-01-15 Thread Stefan Kanthak
t; alias %ProgramData%" and "%PUBLIC%": Windows doesn't place executables in these directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_file

Re: [FD] Executable installers are vulnerable^WEVIL (case 20): TrueCrypt's installers allow arbitrary (remote) code execution and escalation of privilege

2016-01-15 Thread Stefan Kanthak
"Michel Arboi" <michel.ar...@gmail.com> wrote: > On 11 January 2016 at 15:37, Stefan Kanthak <stefan.kant...@nexgo.de> wrote: >> Which but does not mean/imply that everybody abandons TrueCrypt. > > The project has been abruptly killed by the developers wit

[FD] Defense in depth -- the Microsoft way (part 38): does Microsoft follow their own security guidance/advisories?

2016-01-15 Thread Stefan Kanthak
Mitigation: ~~~ use SAFER alias Software Restriction Policies and deny execution everywhere except %SystemRoot% and below and %ProgramFiles% and below. See <http://home.arcor.de/skanthak/SAFER.html> and/or <http://mechbgon.com/srp/index.html> for ins

Re: [FD] Executable installers are vulnerable^WEVIL (case 20): TrueCrypt's installers allow arbitrary (remote) code execution and escalation of privilege

2016-01-11 Thread Stefan Kanthak
"Sarah Allen" wrote: > TrueCrypt ceased development back in 2014. Which but does not mean/imply that everybody abandons TrueCrypt. > Please refer to the below link to migrate to an alternative > (BitLocker) from TrueCrypt. > http://truecrypt.sourceforge.net/ STOP

[FD] Executable installers are vulnerable^WEVIL (case 20): TrueCrypt's installers allow arbitrary (remote) code execution and escalation of privilege

2016-01-08 Thread Stefan Kanthak
ure/2015/Nov/101>, <http://seclists.org/fulldisclosure/2015/Dec/86> and <http://seclists.org/fulldisclosure/2015/Dec/121> plus <http://home.arcor.de/skanthak/sentinel.html> and the still unfinished <http://home.arcor.de/skanthak/!execute.html> for more details and why executable

[FD] Executable installers/self-extractors are vulnerable^WEVIL (case 17): Kaspersky Labs utilities

2016-01-05 Thread Stefan Kanthak
d be dumped. Kaspersky Lab published a security advisory 2015-12-23 <https://support.kaspersky.com/vulnerability.aspx?el=12430#231215> after they made updated versions of their utilities available on <https://support.kaspersky.com/viruses/utility> stay tuned Stefan Kanthak

Re: [FD] Executable installers are vulnerable^WEVIL (case 15):F-SecureOnlineScanner.exe allows arbitrary (remote) codeexecution and escalation of privilege

2015-12-31 Thread Stefan Kanthak
() with <https://support.microsoft.com/en-us/kb/2533623> which but seems largely unknown to almost all developers of executable installers and self-extractors. JFTR: until now I only found one executable installer that was not susceptible to DLL hijacking. It but uses an unsafe temp

[FD] Executable installers are vulnerable^WEVIL (case 16): Trend Micro's installers allows arbitrary (remote) code execution

2015-12-31 Thread Stefan Kanthak
rom step 1 into "%TEMP%\Agent", then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll and OLEAcc.dll there; 7. execute "%TEMP%\Agent\TisEZIns.exe"; 8. notice the message boxes displayed from

Re: [FD] Executable installers are vulnerable^WEVIL (case 15): F-SecureOnlineScanner.exe allows arbitrary (remote) code execution and escalation of privilege

2015-12-26 Thread Stefan Kanthak
"Shawn McMahon" <sybergh...@gmail.com> wrote: > On Wed, Dec 23, 2015 at 7:13 AM, Stefan Kanthak <stefan.kant...@nexgo.de> > wrote: > >> Hi @ll, >> >> F-Secure's online virus scanner F-SecureOnlineScanner.exe, available >> via <https://www

[FD] Executable installers are vulnerable^WEVIL (case 15): F-SecureOnlineScanner.exe allows arbitrary (remote) code execution and escalation of privilege

2015-12-23 Thread Stefan Kanthak
ed a security advisory <https://www.f-secure.com/en/web/labs_global/fsc-2015-4> and made an updated version of their online scanner available on <https://www.f-secure.com/en/web/home_global/online-scanner> CAVEAT: F-Secure's fix works only on Windows Vista and newer versions; th

[FD] Executable installers are vulnerable^WEVIL (case 13): ESET NOD32 antivirus installer allows remote code execution with escalation of privilege

2015-12-21 Thread Stefan Kanthak
lt;http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.google.de/books?isbn=1437914926>

[FD] Executable uninstallers are vulnerable^WEVIL (case 12): Avira Registry Cleaner allows arbitrary code execution with escalation of privilege

2015-12-17 Thread Stefan Kanthak
ownloads" directory; 4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll and/or RichEd20.dll placed in step 1. stay tuned Stefan Kanthak Timeline: ~ 2015-11-15vulnerability report sent to vendor 2015-11-16vendor acknowledges receipt 2015-11-17vend

[FD] Executable installers are vulnerable^WEVIL (case 11): Nmap <7.01 and Nmap-WinPcap <4.13

2015-12-16 Thread Stefan Kanthak
disclosure/2015/Nov/101> titled Mitigations for "carpet bombing" alias "directory poisoning" attacks against executable installers. Nmap-7.01 and WinPcap-Nmap-4.13 have been released and fix these vulnerabilities. stay tuned Stefan Kanthak ___

[FD] Executable installers are vulnerable^WEVIL (case 10): McAfee Security Scan Plus, WebAdvisor and CloudAV (Beta)

2015-12-16 Thread Stefan Kanthak
bilities see Intel's Security Bulletin published today: <https://service.mcafee.com/FAQDocument.aspx?lc=1033=TS102462> stay tuned Stefan Kanthak ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege

2015-12-09 Thread Stefan Kanthak
directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.

[FD] Executable installers are vulnerable^WEVIL (case 5): JRSoft InnoSetup

2015-12-09 Thread Stefan Kanthak
home.arcor.de/skanthak/safer.html> and/or <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf> or <https://books.google.de/books?isbn=1437914926> and finally

[FD] Executable installers are vulnerable^WEVIL (case 9): Chrome's setup.exe allows arbitrary code execution and escalation of privilege

2015-12-09 Thread Stefan Kanthak
ot;: Windows doesn't place executables in these directories and beyond. See <http://home.arcor.de/skanthak/safer.html> as well as <http://mechbgon.com/srp/> plus <http://csrc.nist.gov/itsec/SP800-68r1.pdf>, <https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

[FD] Defense in depth -- the Microsoft way (part 36): CWE-428 or fun with unquoted paths

2015-11-15 Thread Stefan Kanthak
xe" name | "c:\program files\sub dir\program name.exe" Neither the 4 other possibilities: "C:\Program" files\sub dir\program name "C:\Program files\sub" dir\program name "C:\Program files\sub dir\program" name &quo

[FD] Mozilla extensions: a security nightmare (part 2)

2015-10-13 Thread Stefan Kanthak
extracting installers which unpack their payload to %TEMP%; but these are flawed per concept too! If you need to support such crap, consider to remove the USER environment variables %TEMP% and %TMP% of the administrator account. The administrat

Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability

2015-10-10 Thread Stefan Kanthak
"Shawn McMahon" sybergh...@gmail.com wrote: > On Mon, Oct 5, 2015 at 8:16 AM, Stefan Kanthak <stefan.kant...@nexgo.de> > wrote: > >> >> That's why giving unsuspecting users *.EXE to install a software package >> or to unpack an archive and thus train

  1   2   >