Full Disclosure mailing list archives

Executable installers are vulnerable^WEVIL (case 49): 1Password-4.6.1.619.exe allows arbitrary code execution

From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Fri, 7 Apr 2017 19:29:58 +0200

Hi @ll,

1Password-4.6.1.619.exe, available from
<https://d13itkw33a7sus.cloudfront.net/dist/1P/win4/1Password-4.6.1.619.exe>
is vulnerable to DLL hijacking: it loads UXTheme.dll or DWMAPI.dll
from its "application directory" instead Windows
"system directory".

For downloaded applications like 1Password-4.6.1.619.exe the
"application directory" is Windows' "Downloads" folder.

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
for more information.

See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for this
well-known beginner's error.


If one of the DLLs named above is placed in the users "Downloads"
directory (for example per "drive-by download") this vulnerability
becomes a remote code execution.

JFTR: there is ABSOLUTELY no need for executable installers on
      Windows! DUMP THIS CRAP!


Additionally the installer creates an unsafe temporary directory
"%TEMP%\is-*.tmp\" where it extracts some parts of itself and
executes them.

See <https://cwe.mitre.org/data/definitions/377.html>
and <https://cwe.mitre.org/data/definitions/379.html> for this
well-known beginner's error.


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!
  Don't use self-extractors! NEVER!

  See <http://seclists.org/fulldisclosure/2015/Nov/101> and
  <http://seclists.org/fulldisclosure/2015/Dec/86> plus
  <http://home.arcor.de/skanthak/!execute.html> alias
  <https://skanthak.homepage.t-online.de/!execute.html> for more
  information.

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".

* Use SAFER alias Software Restriction Policies or AppLocker to
  enforce W^X alias "write Xor execute" in the NTFS file system:
  allow execution only below %SystemRoot% and %ProgramFiles% and
  deny it everywhere else.

  See <http://mechbgon.com/srp/index.html> or
  <http://home.arcor.de/skanthak/SAFER.html> alias
  <https://skanthak.homepage.t-online.de/SAFER.html> for more
  information.


stay tuned (and far away from such crap)
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-03-21    vulnerability report sent to vendor

2017-03-23    reply from vendor
              "WON'T FIX: this does not attack 1Password data but
               the target system itself, and is an issue with low
               risk, an issue that has existing mitigations in place,
               or is an accepted business risk for the customer."

2017-04-07    report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Executable installers are vulnerable^WEVIL (case 49): 1Password-4.6.1.619.exe allows arbitrary code execution Stefan Kanthak (Apr 07)