[Nasm-bugs] [Bug 3392457] New: DLL hijacking in NASM installer leading to arbitary code executtion ( stable release )
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Tue Jan 2 11:45:45 PST 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392457
Bug ID: 3392457
Summary: DLL hijacking in NASM installer leading to arbitary
code executtion ( stable release )
Product: NASM
Version: 2.13.xx
Hardware: PC
OS: Windows
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: Souhardya at protonmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
*Summary:*
NASM contains a privilege escalation vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system and gain elevated privileges. The vulnerability exists due to some
DLL file is loaded by 'nasm-2.13.02-installer' improperly. And it allows an
attacker to load this DLL file of the attacker as choosing that could
execute arbitrary code without the user's knowledge.
*Affected Product*:
NASM for Windows PC
*Tested on*: Windows 7
*Impact:*
Attacker can exploit this vulnerability to load a DLL file of the
attacker's choosing that could execute arbitrary code. This may help
attacker to successfully exploit the system if user creates shell as a DLL.
*Vulnerability Scoring Details:*
The vulnerability classification has been performed by using the CVSSv2
scoring system (http://www.first.org/cvss/).
Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
*More Details*:
For software downloaded with a web browser the application directory is
typically the user's "Downloads" directory: see <
https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-
and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html
If an attacker places malicious DLL in the user's "Downloads" directory
(for example per "drive-by download" or "social engineering") this
vulnerability becomes a arbitrary code execution
1. Create a malicious 'dwmapi.dll' file and save it in your "Downloads"
directory.
2. Download 'nasm-2.13.02-installer' and save it in your "Downloads" directory.
3. Execute nasm-2.13.02-installer.exe from your "Downloads" directory.
4. Malicious dll file gets executed.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list