WinImage DLL Hijacking

`Hi @ll,  
  
the executable installer winima90.exe and previous versions  
available from <http://www.winimage.com> loads and executes  
CRTdll.dll, UXTheme.dll, RichEd32.dll and WindowsCodecs.dll  
from its "application directory".  
  
Self-extracting executables created with WinImage load and  
execute CRTdll.dll, UXTheme.dll and MPR.dll from their  
"application directory".  
  
  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
and <http://seclists.org/fulldisclosure/2012/Aug/134> for  
"prior art" about this well-known and well-documented vulnerability.  
  
  
If an attacker places the DLLs named above in the users  
"Downloads" directory (for example per drive-by download or  
social engineering) this vulnerability becomes a remote code  
execution.  
  
Due to the application manifest embedded in the executable  
installer which specifies "requireAdministrator" it is run  
with administrative privileges ("protected" administrators  
are prompted for consent, unprivileged standard users are  
prompted for an administrator password); execution of the  
DLLs therefore results in an escalation of privilege!  
  
  
See <http://seclists.org/fulldisclosure/2015/Nov/101>  
and <http://seclists.org/fulldisclosure/2015/Dec/86>  
plus <http://seclists.org/fulldisclosure/2015/Dec/121>  
  
  
Proof of concept (verified on Windows XP, Windows Vista, Windows 7,  
Windows Server 2008 [R2]; should work on newer versions too):  
  
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download  
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save  
it as UXTheme.dll in your "Downloads" directory, then copy it  
as RichEd32.dll, WindowsCodecs.dll and MPR.dll;  
  
2. download winima90.exe and save it in your "Downloads"  
directory;  
  
3. run winima90.exe (or a self-extractor created with WinImage)  
from the "Downloads" directory;  
  
4. notice the message boxes displayed from the DLLs placed in  
step 1.  
  
PWNED!  
  
  
5. copy the downloaded UXTheme.dll as CRTdll.dll;  
  
6. rerun winima90.exe or a self-extractor from the "Downloads"  
directory.  
  
DOSSED!  
  
  
This denial of service can easily be turned into an arbitrary code  
execution: just create a CRTdll.dll which exports all the symbols  
referenced by winima90.exe or the self-extractors and place it in  
the "Downloads" directory.  
  
  
For this well-known (trivial, easy to avoid, easy to detect and  
easy to fix) beginner's error see  
<https://capec.mitre.org/data/definitions/471.html>,  
<https://technet.microsoft.com/en-us/library/2269637.aspx>,  
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and  
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:  
  
| To ensure secure loading of libraries  
| * Use proper DLL search order.  
| * Always specify the fully qualified path when the library location is  
~~~~~~  
| constant.  
  
  
regards  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2016-01-12 report sent to vendor  
  
NO ANSWER, not even an acknowledgement of receipt  
  
2016-01-21 report resent to vendor  
  
NO ANSWER, not even an acknowledgement of receipt  
  
2016-01-30 report published  
`