Hi @ll,the executable (un)installers for Flash Player before version22.0.0.192 and 18.0.0.360 (both released on 2016-06-15) arevulnerable to DLL hijacking: they load and execute multipleWindows system DLLs from their "application directory" insteadof Windows' "system directory" %SystemRoot%\System32\.On Windows 7 and before they also (try to) load PCACli.dll andAPI-MS-Win-Downlevel-Shell32-l1-1-0.dll from the PATH:PCACli.Dll and API-MS-Win-Downlevel-Shell32-l1-1-0.dll are notpresent there, these DLLs were first shipped with Windows 8.On Windows XP and before they additionally try to load DWMAPI.dll,PropSys.dll, DevRtl.dll and RPCRTRemote.dll from the PATH: theseDLLs were first shipped with Windows Vista.See about this well-known and well-documented beginner's error!Due to the application manifest embedded in the executables whichspecifies "requireAdministrator" the installers are run withadministrative privileges ("protected" administrators are promptedfor consent, unprivileged standard users are prompted for anadministrator password); execution of the DLLs therefore resultsin an escalation of privilege!Proof of concept/demonstration:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~1. visit (and read) then download and save it as PCACli.dll, API-MS-Win-Downlevel-Shell32-l1-1-0.dll,DWMAPI.dll, RPCRTRemote.dll, OLEAcc.dll, PSAPI.dll, SetupAPI.dll,ClbCatQ.dll, WSock32.dll, WS2_32.dll, HNetCfg.dll, DNSAPI.dll,IPHlpAPI.dll, RASAPI32.dll, SensAPI.dll, RASAdHlp.dll, RASMan.dllplus UserEnv.dll, COMRes.dll, WS2Help.dll, TAPI32.dll, RTUtils.dllSAMLib.dll and WinMM.dll in your "Downloads" directory;2. fetch the (un)installers for Flash Player released before 2016-06-15from Adobe's web site and save them in your "Downloads" directory;3. run the (un)installers downloaded in step 2 and notice the messageboxes displayed from the DLLs placed in step 1.PWNED!JFTR: since the (un)installers are 32-bit programs and (un)installboth the 32-bit and 64-bit versions of Flash Player this POCworks on 64-bit Windows too.stay tunedStefan KanthakTimeline:~~~~~~~~~2016-03-12 first vulnerability report sent to Adobe2016-03-13 Adobe acknowledged the receipt2016-04-06 Adobe informed about the upcoming patch to be released2016-04-07 and the assignment of CVE-2016-10142016-04-17 second vulnerability report sent to Adobe: the "fixed"(un)installers are still vulnerable, they just loadsome other DLLs now2016-04-20 Adobe confirmed the second report and announced to fixthe vulnerability in the June update2016-06-15 Adobe released fixed (un)installers2016-06-17 report published[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/1YvRnfq
Hi @ll,
the executable (un)installers for Flash Player before version
22.0.0.192 and 18.0.0.360 (both released on 2016-06-15) are
vulnerable to DLL hijacking: they load and execute multiple
Windows system DLLs from their "application directory" instead
of Windows' "system directory" %SystemRoot%\System32\.
On Windows 7 and before they also (try to) load PCACli.dll and
API-MS-Win-Downlevel-Shell32-l1-1-0.dll from the PATH:
PCACli.Dll and API-MS-Win-Downlevel-Shell32-l1-1-0.dll are not
present there, these DLLs were first shipped with Windows 8.
On Windows XP and before they additionally try to load DWMAPI.dll,
PropSys.dll, DevRtl.dll and RPCRTRemote.dll from the PATH: these
DLLs were first shipped with Windows Vista.
See
about this well-known and well-documented beginner's error!
Due to the application manifest embedded in the executables which
specifies "requireAdministrator" the installers are run with
administrative privileges ("protected" administrators are prompted
for consent, unprivileged standard users are prompted for an
administrator password); execution of the DLLs therefore results
in an escalation of privilege!
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. visit (and read)
then download
and save it as PCACli.dll, API-MS-Win-Downlevel-Shell32-l1-1-0.dll,
DWMAPI.dll, RPCRTRemote.dll, OLEAcc.dll, PSAPI.dll, SetupAPI.dll,
ClbCatQ.dll, WSock32.dll, WS2_32.dll, HNetCfg.dll, DNSAPI.dll,
IPHlpAPI.dll, RASAPI32.dll, SensAPI.dll, RASAdHlp.dll, RASMan.dll
plus UserEnv.dll, COMRes.dll, WS2Help.dll, TAPI32.dll, RTUtils.dll
SAMLib.dll and WinMM.dll in your "Downloads" directory;
2. fetch the (un)installers for Flash Player released before 2016-06-15
from Adobe's web site and save them in your "Downloads" directory;
3. run the (un)installers downloaded in step 2 and notice the message
boxes displayed from the DLLs placed in step 1.
PWNED!
JFTR: since the (un)installers are 32-bit programs and (un)install
both the 32-bit and 64-bit versions of Flash Player this POC
works on 64-bit Windows too.
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-03-12 first vulnerability report sent to Adobe
2016-03-13 Adobe acknowledged the receipt
2016-04-06 Adobe informed about the upcoming patch to be released
2016-04-07 and the assignment of CVE-2016-1014
2016-04-17 second vulnerability report sent to Adobe: the "fixed"
(un)installers are still vulnerable, they just load
some other DLLs now
2016-04-20 Adobe confirmed the second report and announced to fix
the vulnerability in the June update
2016-06-15 Adobe released fixed (un)installers
2016-06-17 report published
[ reply ]