###########################

# Avira Registry Cleaner DLL Hijacking Vulnerability

###########################

Hi @ll,

avira_registry_cleaner_en.exe, available from
<https://www.avira.com/en/download/product/avira-registry-cleaner>
to clean up remnants the uninstallers of their snakeoil products
fail to remove, is vulnerable: it loads and executes WTSAPI32.dll,
UXTheme.dll and RichEd20.dll from its application directory
(tested and verified under Windows XP SP3 and Windows 7 SP1).


For software downloaded with a web browser this is typically the
"Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>

Additionally see
<https://blogs.msdn.microsoft.com/oldnewthing/20101111-00/?p=12303>:
the above named DLLs are delay-loaded.
You had been warned, kids!


Due to the application manifest embedded in the executable which
specifies "requireAdministrator" Windows' "user account control"
runs it with administrative privileges ("protected" administrators
are prompted for consent, unprivileged standard users are prompted
for an administrator password); execution of WTSAPI32.dll, UXTheme.dll
and/or RichEd20.dll thus results in an escalation of privilege!

If WTSAPI32.dll, UXTheme.dll or RichEd20.dll gets planted in the
users "Downloads" directory per "drive-by download" this
vulnerability becomes a remote code execution WITH escalation of
privilege.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save
it as WTSAPI32.dll in your "Downloads" directory, then copy it
as UXTheme.dll and RichEd20.dll;

2. download avira_registry_cleaner_en.exe from
<https://www.avira.com/en/download/product/avira-registry-cleaner>
and save it in your "Downloads" directory;

3. execute avira_registry_cleaner_en.exe from your "Downloads"
directory;

4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll
and/or RichEd20.dll placed in step 1.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-11-15 vulnerability report sent to vendor

2015-11-16 vendor acknowledges receipt

2015-11-17 vendor verifies vulnerability report and anounces to
publish a fix within two weeks

2015-11-18 asked vendor to request a CVE identifier and check
their other executable (un)installers too

2015-11-19 vendor replies:
"We updated our compiler and its runtime to a version
which should mitigate the attack vector and modified
the DLL load order"

2015-12-08 notification from vendor:
"We released a fixed version today"

2015-12-08 your "fixed" cleaner still loads the named DLLs

2015-12-09 response from vendor, asking how I verified execution
of UXTheme.dll, with screenshot of "Process Monitor"
showing the tell-tale line
"C:Users...DownloadsCRYPTBASE.dll NAME NOT FOUND"

2015-12-09 see <http://seclists.org/fulldisclosure/2015/Nov/101>

sent SAFER.log produced on Windows XP and Windows 7 to
vendor; also told them to look at the screenshot!

2015-12-17 response from vendor:
"We don't see a vulnerability in the attempt to load
CRYPTBASE.dll from the application directory as shown
by Process Monitor. We think we fixed the reported
vulnerabilities and will not provide another fix."

OUCH!
I really LOVE snakeoil vendors who DON'T care about the safety and
security of their customers.

2015-12-18 report published

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2015-12-21]

###########################