Hi @ll, several of Microsoft's Sysinternals utilities extract executables to %TEMP% and run them from there; the extracted executables are vulnerable to DLL hijacking, allowing arbitrary code execution in every user account and escalation of privilege in "protected administrator" accounts [*]. * CoreInfo.exe: extracts on x64 an embedded CoreInfo64.exe to %TEMP% which loads %TEMP%\VERSION.DLL (on Windows Vista and newer) and executes it with the callers credentials. * Disk2VHD.exe: extracts on Windows 2003 and newer, both x86 and x64, an embedded Disk2VHD-tmp.exe to %TEMP% which loads %TEMP%\UXTHEME.DLL %TEMP%\VERSION.DLL (on Windows Vista and newer), and executes it with administrative privileges on Windows Vista and newer, and with the callers credentials on Windows 2003. * DiskView.exe: extracts on x64 an embedded DiskView64.exe to %TEMP% which loads %TEMP%\UXTHEME.DLL and executes it with administrative privileges on Windows Vista and newer, and with the callers credentials on Windows 2003 and Windows XP. * ProcMon.exe: extracts on x64 an embedded ProcMon64.exe to %TEMP% which loads %TEMP%\UXTHEME.DLL, %TEMP%\VERSION.DLL (on Windows Vista and newer), and executes it with the callers credentials. * RAMMap.exe: extracts on x64 an embedded RAMMap64.exe to %TEMP% which loads %TEMP%\SETUPAPI.DLL (on Windows 2003), %TEMP%\UXTHEME.DLL, %TEMP%\VERSION.DLL (on Windows Vista and newer), and executes them with administrative privileges on Windows Vista and newer, and with the callers credentials on Windows 2003. * VMMap.exe: extracts on x64 an embedded VMMap64.exe to %TEMP% which loads %TEMP%\CLBCATQ.DLL (on Windows 2003), %TEMP%\SETUPAPI.DLL (on Windows 2003), %TEMP%\UXTHEME.DLL, %TEMP%\VERSION.DLL (on Windows Vista and newer), and executes them with the callers credentials. * ZoomIt.exe: extracts on x64 an embedded ZoomIt64.exe to %TEMP% which loads %TEMP%\SETUPAPI.DLL (on Windows 2003), %TEMP%\UXTHEME.DLL, %TEMP%\VERSION.DLL (on Windows Vista and newer) and executes them with the callers credentials. See <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html>, <https://cwe.mitre.org/data/definitions/277.html>, <https://cwe.mitre.org/data/definitions/379.html> and <https://cwe.mitre.org/data/definitions/732.html> for these WELL-KNOWN and WELL-DOCUMENTED vulnerabilities^Wbeginner's errors! Mitigations: ~~~~~~~~~~~~ * Don't use these vulnerable utilities (or other crapware which runs executables from unsafe directories like %TEMP%)! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak [*] according to Microsoft's own SIR reports, more than half of the Windows installations which send telemetry data have only one active user account, i.e. some hundred million Windows installations are susceptible to this design bug! Timeline: ~~~~~~~~~ 2015-11-02 vulnerability report sent to author and vendor NO REPLY from author 2015-11-17 vendor replies, opens MSRC case 31724 2016-01-29 vendor replies, closes MSRC case 31724: WONTFIX 2016-08-11 report published