Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

AutoIT 3 DLL Hijacking

Related Vulnerabilities: CVE-2016-0603  
Publish Date: 17 May 2016
Author: rugk
Source 
                							

                Hi,
You probably heart about the Java issue which affected their installer. (http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html)
However this issue also affects multiple other installers as a security researcher has shown. (https://packetstormsecurity.com/files/author/6137/) It is called DLL Hijacking. I've copied a few general statements from there as they also apply to this issue.

Note I only tested this on Windows 7 32bit.
All files were downloaded on 2016-02-15.

So I just tried and tested the AutoIt Installer and the AutoIt3.exe. Here are my results.

The latest AutoId3 Installer autoit-v3-setup.exe loads and executes (at least) these DLLs when they are placed in the application directory (which is usually the download folder):
* VERSION.dll
* CRYPTBASE.dll
* SHFOLDER.DLL
* ntmarta.dll
* dwmapi.dll
* SspiCli.dll
* RichEd20.DLL

Additional these files are copied to the temp directory:
* %Temp%\nsm<4digits>.tmp\UserInfo.dll
* %Temp%\nsm<4digits>.tmp\InstallOptions.dll
* %Temp%\nsm<4digits>.tmp\UserInfo.dll
* %Temp%\nsm<4digits>.tmp\System.dll

Steps to reproduce:
Here I just use on DLL as an example.

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and store
   it as SHFOLDER.dll in your "Downloads" directory;

2. download autoit-v3-setup.exe and store it in
   your "Downloads" directory;

3. run autoit-v3-setup.exe from your "Downloads"
   directory;

4. notice the message boxes displayed from the DLLs placed in step 1.

As you seem to use NSIS, please notice this: https://packetstormsecurity.com/files/134693/NSIS-DLL-Hijack.html

What's more I also tested the AutoIt3.exe. As you seem to advertise this as a stand-alone application it may also be installed in a non-safe directory (where users without admin rights can write files to) and therefore it may be (mis)used with malicious DLLs. Additionally all executable files created with Aut2exe.exe are vulnerable as they also use this executable.
Note that in my test I only started the AutoIt3.exe and let it run until it shows the "open file" dialog. At this point I cancelled the process, so I did not load any AU3 scripts.
This is a list of all DLLs which are loaded and executed by AutoIt3 from the application directory:
* WSOCK32.dll
* VERSION.dll
* WINMM.dll
* MPR.dll
* IPHLPAPI.DLL
* WINNSI.DLL
* UxTheme.dll
* CRYPTBASE.dll
* dwmapi.dll
* WindowsCodecs.dll
* apphelp.dll
* CSCAPI.dll
* srvcli.dll
* slc.dll
* MsftEdit.dll
* msls31.dll
* ntmarta.dll
* XmlLite.dll
* LINKINFO.dll
* CRYPTSP.dll
* RpcRtRemote.dll
* SSPICLI.DLL
* SHDOCVW.dll
* ieframe.DLL
* netutils.dll

For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability.

If an attacker places the DLLs named above in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution.

Due to the application manifest embedded in the installers which specifies "requireAdministrator" the executable installer is run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of the DLLs therefore results in an escalation of privilege!
Additionally AU3 scripts can also requests administration rights and in this case they may also be used for a privilege escalation.

More information about this issue can be found on this sites:
* https://capec.mitre.org/data/definitions/471.html
* https://technet.microsoft.com/en-us/library/2269637.aspx
* https://msdn.microsoft.com/en-us/library/ff919712.aspx
* https://msdn.microsoft.com/en-us/library/ms682586.aspx
* http://seclists.org/fulldisclosure/2015/Nov/101

Best regards,
<privat>

----
Timeline:

* 2016-02-16: send (no reply)
* 2016-03-29: reminder send; made aware of public disclosure at the 2016-05-16.
* 2015-05-16: report published

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started