Lucene search
K

AutoIT 3 DLL Hijacking

🗓️ 17 May 2016 00:00:00Reported by rugkType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 53 Views

AutoIT 3 DLL Hijacking affecting installers and AutoIt3.exe on Windows

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: Vulnerability in IBM Java SDK affects IBM Decision Optimization Center (CVE-2016-0603)
16 Jun 201813:39
ibm
IBM Security Bulletins
Security Bulletin: A security vulnerability has been identified in IBM Tivoli Monitoring shipped with IBM Systems Director Editions(CVE-2016-0603)
18 Jun 201801:30
ibm
IBM Security Bulletins
Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0603)
18 Jun 201800:32
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in IBM Java SDK affects IBM Fabric Manager (CVE-2016-0603)
31 Jan 201902:25
ibm
IBM Security Bulletins
Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Content Classification (CVE-2016-0494, CVE-2016-0466 and CVE-2016-0603)
17 Jun 201812:14
ibm
IBM Security Bulletins
Security Bulletin: A security vulnerability has been identified in IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise (CVE-2016-0603)
17 Jun 201822:33
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2016-0603)
16 Jun 201813:39
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web 7.0 software (CVE-2016-0603)
16 Jun 201821:40
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in IBM Java Runtime affect Rational Host On-Demand (CVE-2016-0603)
3 Aug 201804:23
ibm
IBM Security Bulletins
Security Bulletin: Current releases of the IBM® SDK, Java™ Technology Edition are affected by CVE-2016-0603
15 Jun 201807:05
ibm
Rows per page
`Hi,  
You probably heart about the Java issue which affected their installer. (http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html)  
However this issue also affects multiple other installers as a security researcher has shown. (https://packetstormsecurity.com/files/author/6137/) It is called DLL Hijacking. I've copied a few general statements from there as they also apply to this issue.  
  
Note I only tested this on Windows 7 32bit.  
All files were downloaded on 2016-02-15.  
  
So I just tried and tested the AutoIt Installer and the AutoIt3.exe. Here are my results.  
  
The latest AutoId3 Installer autoit-v3-setup.exe loads and executes (at least) these DLLs when they are placed in the application directory (which is usually the download folder):  
* VERSION.dll  
* CRYPTBASE.dll  
* SHFOLDER.DLL  
* ntmarta.dll  
* dwmapi.dll  
* SspiCli.dll  
* RichEd20.DLL  
  
Additional these files are copied to the temp directory:  
* %Temp%\nsm<4digits>.tmp\UserInfo.dll  
* %Temp%\nsm<4digits>.tmp\InstallOptions.dll  
* %Temp%\nsm<4digits>.tmp\UserInfo.dll  
* %Temp%\nsm<4digits>.tmp\System.dll  
  
Steps to reproduce:  
Here I just use on DLL as an example.  
  
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download  
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and store  
it as SHFOLDER.dll in your "Downloads" directory;  
  
2. download autoit-v3-setup.exe and store it in  
your "Downloads" directory;  
  
3. run autoit-v3-setup.exe from your "Downloads"  
directory;  
  
4. notice the message boxes displayed from the DLLs placed in step 1.  
  
As you seem to use NSIS, please notice this: https://packetstormsecurity.com/files/134693/NSIS-DLL-Hijack.html  
  
What's more I also tested the AutoIt3.exe. As you seem to advertise this as a stand-alone application it may also be installed in a non-safe directory (where users without admin rights can write files to) and therefore it may be (mis)used with malicious DLLs. Additionally all executable files created with Aut2exe.exe are vulnerable as they also use this executable.  
Note that in my test I only started the AutoIt3.exe and let it run until it shows the "open file" dialog. At this point I cancelled the process, so I did not load any AU3 scripts.  
This is a list of all DLLs which are loaded and executed by AutoIt3 from the application directory:  
* WSOCK32.dll  
* VERSION.dll  
* WINMM.dll  
* MPR.dll  
* IPHLPAPI.DLL  
* WINNSI.DLL  
* UxTheme.dll  
* CRYPTBASE.dll  
* dwmapi.dll  
* WindowsCodecs.dll  
* apphelp.dll  
* CSCAPI.dll  
* srvcli.dll  
* slc.dll  
* MsftEdit.dll  
* msls31.dll  
* ntmarta.dll  
* XmlLite.dll  
* LINKINFO.dll  
* CRYPTSP.dll  
* RpcRtRemote.dll  
* SSPICLI.DLL  
* SHDOCVW.dll  
* ieframe.DLL  
* netutils.dll  
  
For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability.  
  
If an attacker places the DLLs named above in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution.  
  
Due to the application manifest embedded in the installers which specifies "requireAdministrator" the executable installer is run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of the DLLs therefore results in an escalation of privilege!  
Additionally AU3 scripts can also requests administration rights and in this case they may also be used for a privilege escalation.  
  
More information about this issue can be found on this sites:  
* https://capec.mitre.org/data/definitions/471.html  
* https://technet.microsoft.com/en-us/library/2269637.aspx  
* https://msdn.microsoft.com/en-us/library/ff919712.aspx  
* https://msdn.microsoft.com/en-us/library/ms682586.aspx  
* http://seclists.org/fulldisclosure/2015/Nov/101  
  
Best regards,  
<privat>  
  
----  
Timeline:  
  
* 2016-02-16: send (no reply)  
* 2016-03-29: reminder send; made aware of public disclosure at the 2016-05-16.  
* 2015-05-16: report published  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 May 2016 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.04066
53