ClamWin 0.99 DLL Hijacking

2016.03.08

Credit: Stefan Kanthak

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Hi @ll,
the executable installer clamwin-0.99-setup.exe (available from
<http://www.clamwin.com/download>) loads and executes DWMAPI.dll
or UXTheme.dll from its "application directory".
For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.
If an attacker places one of the above named DLL in the user's
"Downloads" directory (for example per "drive-by download"
or "social engineering") this vulnerability becomes a remote
code execution.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
as UXTheme.dll in your "Downloads" directory, then copy it as
DWMAPI.dll;
2. download clamwin-0.99-setup.exe and save it in your "Downloads"
directory;
3. execute clamwin-0.99-setup.exe from your "Downloads" directory;
4. notice the message boxes displayed from the DLLs placed in
step 1.
PWNED!
See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/32> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!
stay tuned
Stefan Kanthak
PS: I really LOVE (security) software with such trivial beginner's
errors. It's a tell-tale sign to stay away from this snakeoil!
Timeline:
~~~~~~~~~
2016-03-06 sent vulnerability report to authors
<security@clamwin.com>: host aspmx.l.google.com[64.233.184.26] said: 550-5.1.1
The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1
https://support.google.com/mail/answer/6596 y186si9894139wmy.43 - gsmtp (in
reply to RCPT TO command)
<clamwin@sf.net>: host mx.sourceforge.net[216.34.181.68] said: 550 unknown user
(in reply to RCPT TO command)
2016-03-06 report published

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ClamWin 0.99 DLL Hijacking

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.