###########################

# Heimdal Security DLL Hijacking Vulnerability

###########################

Hi @ll,

Heimdal.SetupLauncher.exe, available from
<https://heimdalprodstorage.blob.core.windows.net/setup/Heimdal.SetupLauncher.exe>
is (surprise.-) vulnerable to DLL hijacking: it loads (at least)
WINSPOOL.DRV from its "application directory" instead Windows
"system directory".

For downloaded applications like Heimdal.SetupLauncher.exe the
"application directory" is Windows' "Downloads" folder.

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> plus
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>,
<http://seclists.org/fulldisclosure/2012/Aug/134> and
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
for more information.


On their web site <https://heimdalsecurity.com/en/> Heimdal Security
brags^Wlies:

| Online criminals hate us. We protect you from attacks that antivirus
| can't block.

The opposite is but true: every online criminal loves "security"
products because of such trivial to exploit vulnerabilities!

DLL hijacking is a 20 year old, well-known and well-documented
vulnerability, and a typical beginner's error: see
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
<https://capec.mitre.org/data/definitions/471.html>,
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx>.
for more information.


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!
  Don't use self-extractors! NEVER!

  See <http://seclists.org/fulldisclosure/2015/Nov/101> and
  <http://seclists.org/fulldisclosure/2015/Dec/86> plus
  <http://home.arcor.de/skanthak/!execute.html> alias
  <https://skanthak.homepage.t-online.de/!execute.html> for more
  information.

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
  use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".

* Use SAFER alias Software Restriction Policies or AppLocker to
  enforce W^X alias "write Xor execute" in the NTFS file system:
  allow execution only below %SystemRoot% and %ProgramFiles% and
  deny it everywhere else.

  See <http://mechbgon.com/srp/index.html> or
  <http://home.arcor.de/skanthak/SAFER.html> alias
  <https://skanthak.homepage.t-online.de/SAFER.html> for more
  information.

* Stay FAR away from so-called "security" products!

  See (for example)
  <http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html>
  and
  <https://medium.com/@justin.schuh/stop-buying-bad-security-prescriptions-f18e4f61ba9e#.f07b2xdow>
  for more information.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2017-01-13    vulnerability report sent to vendor

              no reply, not even an acknowledgement of receipt

2017-01-21    vulnerability report resent to vendor

              no reply, not even an acknowledgement of receipt

2017-01-31    report published


###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-02-02]

###########################