Full Disclosure mailing list archives
Re: Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege
From: Jernej Simončič <jernej|s-os () eternallybored org>
Date: Tue, 23 Feb 2016 18:44:32 +0100
On 23. februar 2016, 17:37:54, Stefan Kanthak wrote:
Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[snip]
PWNED!
Can't reproduce - tested on Windows XP SP3, Windows 7 x64 SP1 and Windows 10 x64 (10586.104), and I tested not only with gimp-2.8.16-setup-1.exe, but also with gimp-2.8.14-setup-1.exe and gimp-2.8.10-setup.exe - none of them triggered anything from sentinel.dll/uxtheme.dll. This is what I expected - the way Inno Setup works, the downloaded executable installer has a stub which extracts the real installer to a subdirectory of %TEMP%, and runs it from there; the stub's UI is limited to a simple MessageBox call in case the extraction fails - it does not link to uxtheme.dll at all. -- < Jernej Simončič ><><><><><><><><><><><>< http://eternallybored.org/ > Because 10 billion years' time is so fragile, so ephemeral... it arouses such a bittersweet, almost heartbreaking fondness. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege Stefan Kanthak (Feb 25)
- Re: Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege Jernej Simončič (Feb 25)