The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: PostgreSQL 10 Installer For Windows DLL Hijacking
Hi @ll,
the executable installers of PostgreSQL 10 for Windows,
1. PostgreSQL-10.0-1-win64-bigsql.exe, available from
<https://www.openscg.com/bigsql/postgresql/installers.jsp/>
via <https://www.postgresql.org/download/windows/>,
2. postgresql-10.0-1-windows.exe and
postgresql-10.0-1-windows-x64.exe, available from
<https://www.enterprisedb.com/downloads/postgres-postgresql-downloads#windows>
via <https://www.postgresql.org/download/windows/>,
are vulnerable and defective:
Vulnerabilities
~~~~~~~~~~~~~~~
1.a) They load (on a fully patched Windows 7) the system DLLs
UXTheme.dll, SAMCli.dll, SchedCli.dll, LogonCli.dll and
CryptSP.dll from their "application directory" instead Windows'
"system directory" %SystemRoot%\System32\, resulting in arbitrary
code execution.
For software downloaded with a web browser the "application directory"
is typically the user's "Downloads" directory: see
<http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
Also see <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://capec.mitre.org/data/definitions/471.html> and
<https://skanthak.homepage.t-online.de/!execute.html>
Thanks to the embedded application manifest which specifies
"requireAdministrator" the installers will be started with
administrative privileges ("protected" administrators are prompted
for consent, unprivileged standard users are prompted for an
administrator password), resulting in an escalation of privilege!
If (one of) the DLLs named above get(s) planted in the users
"Downloads" directory, for example per "drive-by download", this
vulnerability becomes a remote code execution WITH escalation of
privilege.
Proof of concept:
~~~~~~~~~~~~~~~~~
1. Visit <https://skanthak.homepage.t-online.de/sentinel.html>,
download
<https://skanthak.homepage.t-online.de/download/SENTINEL.DLL>
and save it as UXTheme.dll in your "Downloads" directory, then
copy it as SAMCli.dll, SchedCli.dll, LogonCli.dll and CryptSP.dll;
2. Download the executable installers
<https://oscg-downloads.s3.amazonaws.com/packages/PostgreSQL-10.0-1-win64-bigsql.exe>
<https://get.enterprisedb.com/postgresql/postgresql-10.0-1-windows-x64.exe>
<https://get.enterprisedb.com/postgresql/postgresql-10.0-1-windows.exe>
and save them in your "Downloads" directory;
3. Start the downloaded installers; notice the message boxes
displayed from the "sentinels": PWNED!
1.b) They create about a dozen DLLs with names BR*.TMP
(as generated by Windows GetTempFileName() API, see
<https://msdn.microsoft.com/en-us/library/aa364991.aspx>)
in the user's (unprotected) %TEMP% directory and loads them
during execution.
See <https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> for this
well-known and well-documented weakness.
An unprivileged attacker can modify these DLLs between their
creation and loading, for example using the following (trivial)
batch script, again resulting in arbitrary code execution with
escalation of privilege!
--- BITROCK.CMD ---
:WAIT
If Not Exist "%TEMP%\BR????.DLL" Goto :WAIT
For %%! In ("%TEMP%\BR????.DLL") Do Copy "%USERPROFILE%\Downloads\UXTheme.dll" "%%!"
--- EOF ---
Defects
~~~~~~~
2.a) they have INVALID PE (section) headers; Microsoft's DUMPBIN.EXE
aborts with "access violation" (see below) due to the INVALID
section name "/4"!
From the PE/COFF specification, available via
<https://www.microsoft.com/en-us/download/details.aspx?id=19509>
| Offset Size Field Description
| 0 8 Name An 8-byte, null-padded UTF-8 encoded string.
| If the string is exactly 8 characters long,
| there is no terminating null. For longer names,
| this field contains a slash (/) that is followed
| by an ASCII representation of a decimal number
| that is an offset into the string table.
| Executable images do not use a string table and do
| not support section names longer than 8 characters.
| Long names in object files are truncated if they
| are emitted to an executable file.
2.b) their IMPORT directory contains 2 IMAGE_IMPORT_DESCRIPTOR entries
for msvcrt.dll.
It should but have only 1 IMAGE_IMPORT_DESCRIPTOR per DLL!
See the PE/COFF specification:
| Import Directory Table
...
| The import directory table consists of an array of import directory
| entries, one entry for each DLL to which the image refers.
Mitigations:
~~~~~~~~~~~~
* Don't build executable installers, they are almost always vulnerable!
Create native installation packages for the respective OS instead.
For Windows these are .MSI or .INF with .CAB.
* Don't use executable installers!
* stay FAR away from PostgreSQL for Windows!
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2017-02-17 vulnerability report sent to [email protected]
2017-02-18 reply from vendor:
"the installers are built using Bitrock InstallBuilder
which generates the final executable that the user
downloads. I have therefore escalated this report to
Bitrock's support team, and as soon as they have a
solution will initiate a set of update releases for
affected packages."
2017-10-05 PostgreSQL releases version 10, again sporting this
vulnerability.
Obviously both PostgreSQL and BitRock are unwilling,
unable or just too incompetent to provide installers
without well-known, trivial to detect and trivial to
exploit vulnerabilities.
2017-10-09 report published
Evidence
~~~~~~~~
C:\Users\Stefan\Downloads>link.exe /dump PostgreSQL-10.0-1-win64-bigsql.exe
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file PostgreSQL-10.0-1-win64-bigsql.exe
File Type: EXECUTABLE IMAGE
LINK : fatal error LNK1000: Internal error during DumpSections
Version 8.00.50727.762
ExceptionCode = C0000005
ExceptionFlags = 00000000
ExceptionAddress = 00427362 (00400000) "C:\Program Files\...\LINK.EXE"
NumberParameters = 00000002
ExceptionInformation[ 0] = 00000000
ExceptionInformation[ 1] = 00000004
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum