Avira Registry Cleaner DLL Hijacking

2015-12-18T00:00:00
ID PACKETSTORM:134979
Type packetstorm
Reporter Stefan Kanthak
Modified 2015-12-18T00:00:00

Description

                                        
                                            `Hi @ll,  
  
avira_registry_cleaner_en.exe, available from  
<https://www.avira.com/en/download/product/avira-registry-cleaner>  
to clean up remnants the uninstallers of their snakeoil products  
fail to remove, is vulnerable: it loads and executes WTSAPI32.dll,  
UXTheme.dll and RichEd20.dll from its application directory  
(tested and verified under Windows XP SP3 and Windows 7 SP1).  
  
  
For software downloaded with a web browser this is typically the  
"Downloads" directory: see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
and <http://seclists.org/fulldisclosure/2012/Aug/134>  
  
Additionally see  
<https://blogs.msdn.microsoft.com/oldnewthing/20101111-00/?p=12303>:  
the above named DLLs are delay-loaded.  
You had been warned, kids!  
  
  
Due to the application manifest embedded in the executable which  
specifies "requireAdministrator" Windows' "user account control"  
runs it with administrative privileges ("protected" administrators  
are prompted for consent, unprivileged standard users are prompted  
for an administrator password); execution of WTSAPI32.dll, UXTheme.dll  
and/or RichEd20.dll thus results in an escalation of privilege!  
  
If WTSAPI32.dll, UXTheme.dll or RichEd20.dll gets planted in the  
users "Downloads" directory per "drive-by download" this  
vulnerability becomes a remote code execution WITH escalation of  
privilege.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download  
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save  
it as WTSAPI32.dll in your "Downloads" directory, then copy it  
as UXTheme.dll and RichEd20.dll;  
  
2. download avira_registry_cleaner_en.exe from  
<https://www.avira.com/en/download/product/avira-registry-cleaner>  
and save it in your "Downloads" directory;  
  
3. execute avira_registry_cleaner_en.exe from your "Downloads"  
directory;  
  
4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll  
and/or RichEd20.dll placed in step 1.  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2015-11-15 vulnerability report sent to vendor  
  
2015-11-16 vendor acknowledges receipt  
  
2015-11-17 vendor verifies vulnerability report and anounces to  
publish a fix within two weeks  
  
2015-11-18 asked vendor to request a CVE identifier and check  
their other executable (un)installers too  
  
2015-11-19 vendor replies:  
"We updated our compiler and its runtime to a version  
which should mitigate the attack vector and modified  
the DLL load order"  
  
2015-12-08 notification from vendor:  
"We released a fixed version today"  
  
2015-12-08 your "fixed" cleaner still loads the named DLLs  
  
2015-12-09 response from vendor, asking how I verified execution  
of UXTheme.dll, with screenshot of "Process Monitor"  
showing the tell-tale line  
"C:\Users\...\Downloads\CRYPTBASE.dll NAME NOT FOUND"  
  
2015-12-09 see <http://seclists.org/fulldisclosure/2015/Nov/101>  
  
sent SAFER.log produced on Windows XP and Windows 7 to  
vendor; also told them to look at the screenshot!  
  
2015-12-17 response from vendor:  
"We don't see a vulnerability in the attempt to load  
CRYPTBASE.dll from the application directory as shown  
by Process Monitor. We think we fixed the reported  
vulnerabilities and will not provide another fix."  
  
OUCH!  
I really LOVE snakeoil vendors who DON'T care about the safety and  
security of their customers.  
  
2015-12-18 report published  
`