[Nasm-bugs] [Bug 3392457] New: DLL hijacking in NASM installer leading to arbitary code executtion ( stable release )

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Tue Jan 2 11:45:45 PST 2018 

https://bugzilla.nasm.us/show_bug.cgi?id=3392457

            Bug ID: 3392457
           Summary: DLL hijacking in NASM installer leading to arbitary
                    code executtion ( stable release )
           Product: NASM
           Version: 2.13.xx
          Hardware: PC
                OS: Windows
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: Souhardya at protonmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

*Summary:*
NASM contains a privilege escalation vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system and gain elevated privileges. The vulnerability exists due to some
DLL file is loaded by 'nasm-2.13.02-installer' improperly. And it allows an
attacker to load this DLL file of the attacker as choosing that could
execute arbitrary code without the user's knowledge.

*Affected Product*:
NASM for Windows PC

*Tested on*: Windows 7

*Impact:*
Attacker can exploit this vulnerability to load a DLL file of the
attacker's choosing that could execute arbitrary code. This may help
attacker to successfully exploit the system if user creates shell as a DLL.

*Vulnerability Scoring Details:*
The vulnerability classification has been performed by using the CVSSv2
scoring system (http://www.first.org/cvss/).
Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


*More Details*:
For software downloaded with a web browser the application directory is
typically the user's "Downloads" directory: see <
https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-
and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html


If an attacker places malicious DLL in the user's "Downloads" directory
(for example per "drive-by download" or "social engineering") this
vulnerability becomes a arbitrary code execution 

1. Create a malicious 'dwmapi.dll' file and save it in your "Downloads"
directory.

2. Download 'nasm-2.13.02-installer' and save it in your "Downloads" directory.

3. Execute nasm-2.13.02-installer.exe from your "Downloads" directory.

4. Malicious dll file gets executed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list