Hi @ll, in response to <http://seclists.org/fulldisclosure/2016/Jan/24> EmsiSoft fixed some of the DLL hijacking vulnerabilities in some of their executable installers and unpackers. EmsisoftEmergencyKit.exe still has beginner's errors which allow escalation of privilege for EVERY local user: 0. while the self-extracting WinRAR archive EmsisoftEmergencyKit.exe doesn't load DLLs from its "application directory" any more, its payload but shows this vulnerability! 1. due to "requireAdministrator" in its application manifest the self-extractor runs with administrative rights, although it neither needs them nor uses them. 2. it creates the directory "%SystemDrive%\EEK" and unpacks its payload into it. JFTR: since it runs with administrative rights the self- extractor could create "%SystemDrive%\EEK" with an ACL that only allows write-access for administrators, or use "%ProgramFiles%\EmsiSoft\Emergency Kit" instead. This directory inherits the ACL of its parent, %SystemDrive%, which allows write access for unprivileged users; they can thus modify all files extracted there or add files, for example a "%SystemDrive%\EEK\Version.dll". Also give NetAPI32.dll, NetUtils.dll, SrvCli.dll, WksCli.dll, PropSys.dll, AppHelp.dll, NTMarta.dll, Secur32.dll, MPR.dll and CSCAPI.dll a try. 3. the programs "%SystemDrive%\EEK\Start Commandline Scanner.exe" and "%SystemDrive%\EEK\Start Emergency Kit Scanner.exe" have "requireAdministrator" in their application manifests too: they load and execute the DLLs named above from "%SystemDrive%\EEK" with administrative rights. 4. the other programs extracted to "%SystemDrive%\EEK\bin32" and "%SystemDrive%\EEK\bin64" and are also run with administrative rights. 5. of course the programs in "%SystemDrive%\EEK\bin32" and "%SystemDrive%\EEK\bin64" load and execute DLLs from their "application directory" (which is writable for everyone) too. And one more: 6. the OpenSSL libraries shipped are from version 1.0.2d and have multiple vulnerabilities which have beed fixed in version 1.0.2j. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-08-29 vulnerability report sent to vendor 2016-08-29 vendor acknowledges vulnerability, promises to update at least the OpenSSL libraries, and ask the author of WinRAR to add a directive to protect the created EEK directory 2016-11-17 vendor fixed NOTHING in the past ELEVEN weeks, and does not react any more -> report published
