Hi @ll, the executable installer "InstallTinyPDF.exe", available from , is (surprise.-) vulnerable: 1. DLL hijacking (this is well-known and well-documented; see , , , and ) "InstallTinyPDF.exe" loads and executes UXTheme.dll and/or DWMAPI.dll from its "application directory" instead Windows' "system directory", resulting in arbitrary code execution". The "application directory" is typically the user's "Downloads" directory; see and If UXTheme.dll or DWMAPI.dll get planted for example per "drive-by download" in the users "Downloads" directory this vulnerability becomes a remote code execution. 2. Unsafe TEMP directory (this is well-known and well-documented; see and ) "InstallTinyPDF.exe" creates a temporary (sub)directory "%TEMP%\is-.tmp\" into which it extracts embedded DLLs (_ShFolder.dll [*], ...) and an embedded subinstaller (is-*.tmp) which it executes then ELEVATED, i.e. with administrative privileges. Since the temporary (sub)directory is unprotected (it inherits the NTFS ACL from its parent "%TEMP%\") the extracted executables can be overwritten the between their creation and execution by the unprivileged user, resulting in arbitryry code execution with escalation of privilege. Additionally (really: of course) "%TEMP%\is-.tmp\is*-tmp" is vulnerable to DLL hijacking too: it loads UXTheme.dll and/or DWMAPI.dll and some more DLLs from its "application directory" "%TEMP%\is-.tmp\", which can be placed there by the unprivileged user, again resulting in arbitrary code execution with elevation of privilege. JFTR: InstallTinyPDF.exe is built using the crapware InnoSetup! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See and plus alias for more information. * Practice STRICT privilege separation: NEVER use the so-called "protected" administrator account(s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". Fix: ~~~~ Write a windows-conformant .INF to install the printer driver (see ), then use MakeCAT.exe to create a .CAT and SignTool.exe to sign it. See and plus for the description of these development tools. With this TINYPDF.INF the printer driver can be installed via "Add Printer" as well as the following command lines: * "%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\PrintUI.dll",PrintUIEntry /if /f "\TINYPDF.INF" /m TinyPDF /r LPT3: (see ) * DISM.exe /Image: /Add-Driver /Driver:"\TINYPDF.INF" ... (see ) * DPInst.exe ... which I but DON'T recommend! (see ) Even Windows' setup can import it automatically from \$WinPEDriver$\ into the driver store (see ). JFTR: there is ABSOLUTELY no need for executable installers on Windows! DUMP THIS CRAP! stay tuned Stefan Kanthak [*] ShFolder.dll is cruft from the last millennium, it was used on Windows 9x without Internet Explorer 4; see Since Windows 2000 there is ABSOLUTELY no need to use this cruft! Timeline: ~~~~~~~~~ 2012-05-24 vulnerability report sent to vendor (yes, 2012-05-24!) no reply, not even an acknowledgement of receipt 2016-06-06 vulnerability report sent to vendor no reply, not even an acknowledgement of receipt 2017-01-02 report published # Iranian Exploit DataBase = http://IeDb.Ir [2017-01-05]