Lucene search
K

SoftMaker Office 201x Privilege Escalation Vulnerability

🗓️ 04 Jan 2017 00:00:00Reported by Stefan KanthakType 
zdt
 zdt
🔗 0day.today👁 30 Views

SoftMaker Office 201x Privilege Escalation Vulnerability affects service pack installers creating unprotected directories with NTFS access rights inheritance, allowing arbitrary code execution with elevation of privilege

Code
Hi @ll,

the service pack installers for SoftMaker Office 201x, available
from <http://www.softmaker.com/en/servicepacks-office-windows>,
are (surprise.-) vulnerable.


The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH),
creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract
its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe".

"%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent
"%TEMP%\", i.e. allows full access for the UNPRIVILEGED user.

For this well-known vulnerability see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html>


Due to the embedded application manifest which specifies
"requireAdministrator" the executable installer can only be run
with administrative rights.

JFTR: if written properly, it would create a PROTECTED directory
      "%TEMP%\7zSxxxxxxxx\", writable only for privileged users!

The UNPRIVILEGED user as well as any program running with the
users credentials can modify the extracted files, for example
"%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with
administrative rights, resulting in arbitrary code execution
with elevation of privilege.

Additionally "spsetup.exe" is vulnerable to DLL hijacking,
another well-known vulnerability.
See <https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>

Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the
unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which
are loaded by "spsetup.exe", again resulting in arbitrary code
execution with elevation of privilege!


Proof-of-concept:
~~~~~~~~~~~~~~~~~

0. download <http://www.softmaker.net/down/ofw16_763.exe> and
   save it in an arbitrary directory;

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   (see <http://home.arcor.de/skanthak/sentinel.html> alias
   <https://skanthak.homepage.t-online.de/sentinel.html>) and
   save it in an(other) arbitrary directory;

2. save the following batch script in same the directory as
   SENTINEL.DLL:

--- OFW16_873.CMD ---
:WAIT
@If Not Exist "%TEMP%\7z*" Goto :WAIT
For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%!
Copy "SENTINEL.DLL" "%foobar%\NTMARTA.DLL"
Copy "SENTINEL.DLL" "%foobar%\VERSION.DLL"
Copy "SENTINEL.DLL" "%foobar%\WINSPOOL.DRV"
--- EOF ---

3. start the batch script;

4. execute ofw16_873.exe and notice the message boxes displayed
   by SENTINEL.DLL.

PWNED!

5. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
   to the same directory as the batch script;

6. in the batch script replace the 3 lines Copy ... with
   Copy "SENTINEL.EXE" "%foobar%\spsetup.exe"

7. start the batch script;

8. execute ofw16_873.exe and notice the message box displayed
   by SENTINEL.EXE.

PWNED!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!
  Don't use self-extractors! NEVER!

  See <http://seclists.org/fulldisclosure/2015/Nov/101> and
  <http://seclists.org/fulldisclosure/2015/Dec/86> plus
  <http://home.arcor.de/skanthak/!execute.html> alias
  <https://skanthak.homepage.t-online.de/!execute.html> for more
  information.

* Practice STRICT privilege separation: NEVER use the so-called
  "protected" administrator account(s) created during Windows
  setup which use the same "%TEMP%" for unprivileged and privileged
  processes!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-12-15    sent vulnerability report to vendor

              no reply, not even an acknowledegement of receipt

2016-12-23    resent vulnerability report to vendor, cc CERT at 
              german BSI

              no reply, not even an acknowledegement of receipt

2016-12-27    CERT at german BSI contacts vendor offering help

              no reply, not even an acknowledegement of receipt

2016-12-31    report published

#  0day.today [2018-02-15]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation