Emsisoft Anti Malware DLL Hijacking

2016-01-07T00:00:00
ID PACKETSTORM:135159
Type packetstorm
Reporter Stefan Kanthak
Modified 2016-01-07T00:00:00

Description

                                        
                                            `Hi @ll,  
  
EmsisoftAntiMalwareSetup.exe as well as  
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and  
EmsisoftHiJackFreeSetup.exe load and execute UXTheme.dll (plus  
other DLLs like RichEd20.dll and RichEd32.dll) eventually found  
in the directory they are started from (the "application directory").  
  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art"  
about this well-known and well-documented vulnerability.  
  
  
If one of the DLLs named above gets planted in the user's "Downloads"  
directory per "drive-by download" or "social engineering" this  
vulnerability becomes a remote code execution.  
  
  
Due to the application manifest embedded in the executables which  
specifies "requireAdministrator" or the installer detection of  
Windows' user account control (under Windows XP the installers  
request to be started with administrative privileges by themselves)  
the installers are run with administrative privileges ("protected"  
administrators are prompted for consent, unprivileged standard users  
are prompted for an administrator password); execution of any  
hijacked DLL results in an escalation of privilege!  
  
  
See <http://seclists.org/fulldisclosure/2015/Nov/101>,  
<http://seclists.org/fulldisclosure/2015/Dec/86> and  
<http://seclists.org/fulldisclosure/2015/Dec/121> plus  
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished  
<http://home.arcor.de/skanthak/!execute.html> for more details and why  
executable installers (and self-extractors too) are bad and should be  
dumped.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download  
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it  
as UXTheme.dll in your "Downloads" directory, then copy it as  
RichEd20.dll and RichEd32.dll;  
  
2. download EmsisoftAntiMalwareSetup.exe respectively  
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and  
EmsisoftHiJackFreeSetup.exe and save them in your "Downloads"  
directory;  
  
3. execute EmsisoftAntiMalwareSetup.exe respectively  
EmsisoftAntiMalwareXPSetup.exe, EmsisoftEmergencyKit.exe and  
EmsisoftHiJackFreeSetup.exe from your "Downloads" directory;  
  
4. notice the message boxes displayed from the DLLs placed in  
step 1.  
  
PWNED!  
  
  
Additionally the installers create unsafe temporary directories  
%TEMP%\is-*.tmp to unpack their payload and execute it from there.  
  
An unprivileged user can overwrite/modify these files between their  
extraction and execution, or copy UXTheme.dll plus MSImg32.dll, on  
Windows Vista and newer versions of Windows additionally Version.dll  
into %TEMP%\is-*.tmp. These DLLs are loaded from the unpacked  
%TEMP%\is-*.tmp\Emsisoft*.tmp too.  
  
PWNED again.  
  
  
stay tuned  
Stefan Kanthak  
  
  
PS: I really LOVE (security) software with such trivial beginner's  
errors. It's a tell-tale sign to stay away from such crapware!  
  
  
Timeline:  
~~~~~~~~~  
  
2015-12-19 three reports sent to vendor  
  
2015-12-21 vendor replies to one report:  
"we ignore your report since we don't offer  
EmsisoftHiJackFreeSetup.exe any more."  
  
2015-12-21 OUCH!  
<http://download2.emsisoft.com/EmsisoftHiJackFreeSetup.exe>  
  
NO ANSWER, not even an acknowledgement of receipt  
for the other two reports  
  
2015-12-29 reports resent to vendor  
  
NO ANSWER, not even an acknowledgement of receipt  
  
2016-01-07 report published  
`