DLL hijacking vulnerabilities (also) in ESETs installer

[rugk 397]

A security researcher recently discovered vulnerabilities in many software installers including Java, WinRAR, Python, Panda Security, TrueCrypt/VeraCrypt, Emsisoft, Trend Micro, Avast, McAfee and more.

ESET is also a part of the list.

 

Basically the vulnerability is an issue with DLL files, which are automatically loaded by the installer (which is usually executed from the downloads folder). If wrongly implemented these files are loaded from the current folder, which is the download folder. As most installers request admin rights this is a privilege escalation, because some untrusted DLL files are loaded and executed with admin rights.
If an attacker can convince a user to download some badly crafted DLL files and later an installer with such a vulnerability is executed by the user, the DLL is loaded and malicious code may be executed.

 

A way to prevent such attacks is to copy all installers into an empty directory before executing or to make sure there are no rogue DLL files in the Download folder.

 

So why I am posting this is not only because of the general suggestion, which is a good thing to know, but also because of the Timeline included in the error report for ESET:

Timeline:~~~~~~~~~2015-11-30    report sent to vendor              NO answer, not even an acknowledgement of receipt2015-12-12    report resent to vendor              NO answer, not even an acknowledgement of receipt2015-12-21    report published

So according to this ESET has not yet replied or releases a fix in the installer. Can someone of the mods comment on this and possibly say whether the installers are still vulnerable and when this will be fixed?

[SweX 871]

Hmmm...interesting

[Marcos 5,074]

That's what can be called making a mountain out of a mole hill. The alleged "exploit" simply misuse the way Windows works. The chance of putting a malicious dll in the Download folder prior to the execution of Live Installer and crafting it in the way that it would be properly loaded by Live Installer is so slim that it's barely unexploitable anyways.

[SweX 871]

That's what can be called making a mountain out of a mole hill. The alleged "exploit" simply misuse the way Windows works. The chance of putting a malicious dll in the Download folder prior to the execution of Live Installer and crafting it in the way that it would be properly loaded by Live Installer is so slim that it's barely unexploitable anyways.

 

I see. So, it is doable but very unlikely it would work out successfully.

Or as we say here; "to make a hen out of a feather".

Edited February 16, 2016 by SweX

[rugk 397]

Yes, it may be not that easy to exploit, but it is certainly possible. And according to his "Proof of concept" you do not need a specially crafted DLL in this case. It is a generic DLL. Tricking the user into downloading a DLL is another thing, but it is certainly possible too. Just imagine how much files may resize in some users download folder. Here are more information about this.

 

But do not take this too easy. Oracle, which had this issues in their installers too, seem to have taken it quite seriously:

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

And the thing to note is that it can be fixed. So I would at least expect a fix with the next installer release. And I also would have expected that ESET at least replies to the researcher in some way...
So what is ESET going to do about this?

Edited February 16, 2016 by rugk

[Seth 2]

 

 

A way to prevent such attacks is to copy all installers into an empty directory before executing or to make sure there are no rogue DLL files in the Download folder.

 

 

Do you mean after the file is downloaded just copying it to another folder and executing it prevents this attack?

[rugk 397]

Do you mean after the file is downloaded just copying it to another folder and executing it prevents this attack?

 

Yes, it does. i know... it's quite easy.

[Seth 2]

 

Do you mean after the file is downloaded just copying it to another folder and executing it prevents this attack?

 

Yes, it does. i know... it's quite easy.

 

 

Ok. Thank you

Edited February 21, 2016 by Seth

[Peter Randziak 1,130]

Hello,

 

we published ESET Customer Advisory: Mitigations for vulnerabilities in ESET’s EXE installers covering this topic.

 

Regards, P.R.

[rugk 397]

Nice. I also did not knew of your vulnerability report guide.

[Seth 2]

I downloaded the offline installer to the desktop and runned it as administrator. No other files were at the desktop at that moment. Am I safe?

[rugk 397]

I downloaded the offline installer to the desktop and runned it as administrator. No other files were at the desktop at that moment. Am I safe?

Well, ESET said all installers are already fixed and I also don't know whether the offline installers were affected at all.

But in a more general way (which also applies for other installers) this answer is a bit longer: If there are really no files theoretically yes.

 

However there may be hidden files or something like this, so the only way to be certain is creating an empty new folder, moving the file inside of it and running it from there.

Edited February 22, 2016 by rugk

[Seth 2]

 

I downloaded the offline installer to the desktop and runned it as administrator. No other files were at the desktop at that moment. Am I safe?

Well, ESET said all installers are already fixed and I also don't know whether the offline installers were affected at all.

But in a more general way (which also applies for other installers) this answer is a bit longer: If there are really no files theoretically yes.

 

However there may be hidden files or something like this, so the only way to be certain is creating an empty new folder, moving the file inside of it and running it from there.

 

 

What step should I take to be 100% sure? Uninstall? How to be sure you remove everything when uninstalling ESS? It seem that there is always something left in regedit when uninstalling software. I use MalwareBytes too. Is it affected too?

Edited February 22, 2016 by Seth

[Seth 2]

"If you already have an affected ESET product installed, you do not need to take any action to address this issue."

 

I really don't get this. Don't do anything about your product that is affected is the solution?

[rugk 397]

If you already have installed ESS you don't need to do anything. This vulnerability only affects the installer.

 

However as for your question about how to uninstall an ESET product completely you can use the manual uninstaller. But again: As I said this is not necessary here.

 

BTW: If you want to be secure when installing an ESET program a much more important recommendation would be to look at the UAC prompt (= the message which pops up to asks you for administrative rights) and verify that the downloaded file is signed by ESET. You can see this at the "Verified publisher" name:


In contrast to this faked (and potentially malicious) installer:

If you see such a faked thing when trying to install a software by ESET stop the process (click on "No") and report this issue e.g. in the ESET forum with a description of what file you've downloaded and if you can attach the file.

Edited February 22, 2016 by rugk

[rugk 397]

"If you already have an affected ESET product installed, you do not need to take any action to address this issue."

 

I really don't get this. Don't do anything about your product that is affected is the solution?

No this issue only affects the installer.

[Seth 2]

 

I downloaded the offline installer to the desktop and runned it as administrator. No other files were at the desktop at that moment. Am I safe?

Well, ESET said all installers are already fixed and I also don't know whether the offline installers were affected at all.

But in a more general way (which also applies for other installers) this answer is a bit longer: If there are really no files theoretically yes.

 

However there may be hidden files or something like this, so the only way to be certain is creating an empty new folder, moving the file inside of it and running it from there.

 

 

This attack can only happen when another bad DLL file that is not from the software you want to install in the same folder?

As I said I downloaded ESS to the desktop with no other files there at that moment and installed ESS. But you are saying as above that there could be hidden files? So my install is not 100% safe until I move installer to an empty folder before installing?

Edited February 22, 2016 by Seth

[rugk 397]

As I said I downloaded ESS to the desktop with no other files there at that moment and installed ESS. But you are saying as above that there could be hidden files? So my install is not 100% safe until I move installer to an empty folder before installing?

Theoretically yes.

[Seth 2]

 

As I said I downloaded ESS to the desktop with no other files there at that moment and installed ESS. But you are saying as above that there could be hidden files? So my install is not 100% safe until I move installer to an empty folder before installing?

Theoretically yes.

 

 

Ok thanks.