[Gpg4win-devel] Security Advisory Ggp4win 2015-11-25
Emanuel Schütze
emanuel.schuetze at intevation.de
Wed Nov 25 11:09:32 CET 2015
+++ Security Advisory Ggp4win 2015-11-25 +++
Affected: Gpg4win installers version 2.2.6 and before.
Criticality: medium
1. The installer will load and execute other code if it is placed
in the same directory as a DLL with the right name.
This "current directory attack" or "dll preloading attack"
can be part of a remote exploitation for example if the Gpg4win installer
is downloaded to a common Downloads directory and the attacker can previously
place files there by tricking a user or other software to download files
with a specific name to the same place. If the Gpg4win installer is
then executed, the other code may run, while the user believes
to run only the Gpg4win installer.
2. There is a "local privilege escalation" during an installer run.
Installer runs can happen during a fresh, an update install
or a deinstallation. With Windows Vista or later an administrator
can log in as user and give higher privileges to a single process
using the User Account Control mechanism (UAC). If the installer is started
in this way, there is a time window where an attacker running
with user privileges can insert code in a temporary directory
of the installer that will be executed with the higher privileges
bypassing the UAC.
Mitigation: Update to Gpg4win 2.3.0 (published today)
General precaution measure:
Always copy installers into a single new directory where
it is the only file before executing it. The reason is that
many other installers based on NSIS or other common installer technologies
on Windows are vulnerable to this kind of 'current directory attack'.
== Timeline
* 2015-11-17 problem reported to Gpg4win initiative by
Stefan Kanthak <stefan.kanthak at nexgo.de>
* 2015-11-18 Start of analysis and development of mitigations
by Werner Koch and Andre Heinecke.
* 2015-11-24 Upstream report to NSIS with solution as patch to v2.46
http://sourceforge.net/p/nsis/bugs/1125/
* 2015-11-24 Report to Debian as Gpg4win upstream provider of NSIS:
https://bugs.debian.org/806036
* 2015-11-25 Fix released with Gpg4win 2.3.0.
== Additional information
On 2015-10-28: A public report of similar problems with a Mozilla
installer component went to http://seclists.org/fulldisclosure/2015/Oct/109 .
Microsoft has published a number of reports about "DLL preloading"
or path traversal problems.
More technical details are available via the provided links.
As Gpg4win is Free Software which is developed in the open,
the source code of the used installer is publicly available
and may be inspected for details of the fix.
Advisory compiled by: Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20151125/98d1fad2/attachment.sig>
More information about the Gpg4win-devel
mailing list