TinyPDF Installer DLL Hijacking / Unsafe Temp Directory

`Hi @ll,  
  
the executable installer "InstallTinyPDF.exe", available from  
<http://tinypdf.com/downloads.html>, is (surprise.-) vulnerable:  
  
1. DLL hijacking (this is well-known and well-documented; see  
<https://cwe.mitre.org/data/definitions/426.html>,  
<https://cwe.mitre.org/data/definitions/427.html>  
<https://capec.mitre.org/data/definitions/471.html>,  
<https://technet.microsoft.com/en-us/library/2269637.aspx>,  
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and  
<https://msdn.microsoft.com/en-us/library/ms682586.aspx>)  
  
"InstallTinyPDF.exe" loads and executes UXTheme.dll and/or  
DWMAPI.dll from its "application directory" instead Windows'  
"system directory", resulting in arbitrary code execution".  
  
The "application directory" is typically the user's "Downloads"  
directory; see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>  
and <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
  
If UXTheme.dll or DWMAPI.dll get planted for example per  
"drive-by download" in the users "Downloads" directory this  
vulnerability becomes a remote code execution.  
  
2. Unsafe TEMP directory (this is well-known and well-documented;  
see <https://cwe.mitre.org/data/definitions/377.html>  
and <https://cwe.mitre.org/data/definitions/379.html>)  
  
"InstallTinyPDF.exe" creates a temporary (sub)directory  
"%TEMP%\is-<random>.tmp\" into which it extracts embedded DLLs  
(_ShFolder.dll [*], ...) and an embedded subinstaller (is-*.tmp)  
which it executes then ELEVATED, i.e. with administrative  
privileges.  
  
Since the temporary (sub)directory is unprotected (it inherits  
the NTFS ACL from its parent "%TEMP%\") the extracted executables  
can be overwritten the between their creation and execution by  
the unprivileged user, resulting in arbitryry code execution with  
escalation of privilege.  
  
Additionally (really: of course) "%TEMP%\is-<random>.tmp\is*-tmp"  
is vulnerable to DLL hijacking too: it loads UXTheme.dll and/or  
DWMAPI.dll and some more DLLs from its "application directory"  
"%TEMP%\is-<random>.tmp\", which can be placed there by the  
unprivileged user, again resulting in arbitrary code execution  
with elevation of privilege.  
  
  
JFTR: InstallTinyPDF.exe is built using the crapware InnoSetup!  
  
  
Mitigations:  
~~~~~~~~~~~~  
  
* Don't use executable installers! NEVER!  
Don't use self-extractors! NEVER!  
  
See <http://seclists.org/fulldisclosure/2015/Nov/101> and  
<http://seclists.org/fulldisclosure/2015/Dec/86> plus  
<http://home.arcor.de/skanthak/!execute.html> alias  
<https://skanthak.homepage.t-online.de/!execute.html> for more  
information.  
  
* Practice STRICT privilege separation: NEVER use the so-called  
"protected" administrator account(s) created during Windows  
setup which use the same "%TEMP%" for unprivileged and privileged  
processes!  
  
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";  
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to  
decode it to "deny execution of files in this directory for  
everyone, inheritable to all files in all subdirectories".  
  
  
Fix:  
~~~~  
  
Write a windows-conformant .INF to install the printer driver  
(see <http://home.arcor.de/skanthak/download/TINYPDF.INF>), then  
use MakeCAT.exe to create a .CAT and SignTool.exe to sign it.  
  
See <https://msdn.microsoft.com/en-us/library/aa386967.aspx>  
and <https://msdn.microsoft.com/en-us/library/aa387764.aspx>  
plus <https://msdn.microsoft.com/en-us/library/ff551778.aspx>  
for the description of these development tools.  
  
With this TINYPDF.INF the printer driver can be installed via  
"Add Printer" as well as the following command lines:  
  
* "%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\PrintUI.dll",PrintUIEntry /if /f "<path>\TINYPDF.INF" /m TinyPDF /r  
LPT3:  
(see <https://technet.microsoft.com/en-us/library/ee624057.aspx>)  
  
* DISM.exe /Image:<path> /Add-Driver /Driver:"<path>\TINYPDF.INF" ...  
(see <https://technet.microsoft.com/en-us/library/dd744355.aspx>)  
  
* DPInst.exe ... which I but DON'T recommend!  
(see <https://msdn.microsoft.com/en-us/library/ms791049.aspx>)  
  
Even Windows' setup can import it automatically from \$WinPEDriver$\  
into the driver store (see  
<https://technet.microsoft.com/en-us/library/cc766142.aspx>).  
  
  
JFTR: there is ABSOLUTELY no need for executable installers on  
Windows! DUMP THIS CRAP!  
  
  
stay tuned  
Stefan Kanthak  
  
  
[*] ShFolder.dll is cruft from the last millennium, it was used  
on Windows 9x without Internet Explorer 4; see  
<https://support.microsoft.com/en-us/kb/241733>  
Since Windows 2000 there is ABSOLUTELY no need to use this  
cruft!  
  
  
Timeline:  
~~~~~~~~~  
  
2012-05-24 vulnerability report sent to vendor (yes, 2012-05-24!)  
  
no reply, not even an acknowledgement of receipt  
  
2016-06-06 vulnerability report sent to vendor  
  
no reply, not even an acknowledgement of receipt  
  
2017-01-02 report published  
  
  
`