Adobe Flash Player DLL Hijacking

`Hi @ll,  
  
the executable (un)installers for Flash Player before version  
22.0.0.192 and 18.0.0.360 (both released on 2016-06-15) are  
vulnerable to DLL hijacking: they load and execute multiple  
Windows system DLLs from their "application directory" instead  
of Windows' "system directory" %SystemRoot%\System32\.  
  
On Windows 7 and before they also (try to) load PCACli.dll and  
API-MS-Win-Downlevel-Shell32-l1-1-0.dll from the PATH:  
PCACli.Dll and API-MS-Win-Downlevel-Shell32-l1-1-0.dll are not  
present there, these DLLs were first shipped with Windows 8.  
  
On Windows XP and before they additionally try to load DWMAPI.dll,  
PropSys.dll, DevRtl.dll and RPCRTRemote.dll from the PATH: these  
DLLs were first shipped with Windows Vista.  
  
  
See <https://cwe.mitre.org/data/definitions/426.html>,  
<https://cwe.mitre.org/data/definitions/427.html> and  
<https://capec.mitre.org/data/definitions/471.html> for details  
about this well-known and well-documented beginner's error!  
  
  
Due to the application manifest embedded in the executables which  
specifies "requireAdministrator" the installers are run with  
administrative privileges ("protected" administrators are prompted  
for consent, unprivileged standard users are prompted for an  
administrator password); execution of the DLLs therefore results  
in an escalation of privilege!  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit (and read) <http://home.arcor.de/skanthak/sentinel.html>,  
then download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>  
and save it as PCACli.dll, API-MS-Win-Downlevel-Shell32-l1-1-0.dll,  
DWMAPI.dll, RPCRTRemote.dll, OLEAcc.dll, PSAPI.dll, SetupAPI.dll,  
ClbCatQ.dll, WSock32.dll, WS2_32.dll, HNetCfg.dll, DNSAPI.dll,  
IPHlpAPI.dll, RASAPI32.dll, SensAPI.dll, RASAdHlp.dll, RASMan.dll  
plus UserEnv.dll, COMRes.dll, WS2Help.dll, TAPI32.dll, RTUtils.dll  
SAMLib.dll and WinMM.dll in your "Downloads" directory;  
  
2. fetch the (un)installers for Flash Player released before 2016-06-15  
from Adobe's web site and save them in your "Downloads" directory;  
  
3. run the (un)installers downloaded in step 2 and notice the message  
boxes displayed from the DLLs placed in step 1.  
  
PWNED!  
  
  
JFTR: since the (un)installers are 32-bit programs and (un)install  
both the 32-bit and 64-bit versions of Flash Player this POC  
works on 64-bit Windows too.  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2016-03-12 first vulnerability report sent to Adobe  
  
2016-03-13 Adobe acknowledged the receipt  
  
2016-04-06 Adobe informed about the upcoming patch to be released  
2016-04-07 and the assignment of CVE-2016-1014  
  
2016-04-17 second vulnerability report sent to Adobe: the "fixed"  
(un)installers are still vulnerable, they just load  
some other DLLs now  
  
2016-04-20 Adobe confirmed the second report and announced to fix  
the vulnerability in the June update  
  
2016-06-15 Adobe released fixed (un)installers  
  
2016-06-17 report published  
`