[Gpg4win-users-en] Security Advisory Ggp4win 2015-11-25

Emanuel Schütze emanuel.schuetze at intevation.de
Wed Nov 25 11:09:32 CET 2015


+++ Security Advisory Ggp4win 2015-11-25 +++

Affected: Gpg4win installers version 2.2.6 and before.

Criticality: medium

1. The installer will load and execute other code if it is placed
in the same directory as a DLL with the right name.
This "current directory attack" or "dll preloading attack"
can be part of a remote exploitation for example if the Gpg4win installer 
is downloaded to a common Downloads directory and the attacker can previously 
place files there by tricking a user or other software to download files 
with a specific name to the same place. If the Gpg4win installer is 
then executed, the other code may run, while the user believes 
to run only the Gpg4win installer.

2. There is a "local privilege escalation" during an installer run. 
Installer runs can happen during a fresh, an update install 
or a deinstallation. With Windows Vista or later an administrator 
can log in as user and give higher privileges to a single process 
using the User Account Control mechanism (UAC). If the installer is started 
in this way, there is a time window where an attacker running 
with user privileges can insert code in a temporary directory
of the installer that will be executed with the higher privileges
bypassing the UAC.


Mitigation: Update to Gpg4win 2.3.0 (published today)

General precaution measure:
  Always copy installers into a single new directory where
  it is the only file before executing it. The reason is that 
  many other installers based on NSIS or other common installer technologies 
  on Windows are vulnerable to this kind of 'current directory attack'.

== Timeline
* 2015-11-17 problem reported to Gpg4win initiative by 
             Stefan Kanthak <stefan.kanthak at nexgo.de>
* 2015-11-18 Start of analysis and development of mitigations 
             by Werner Koch and Andre Heinecke.             
* 2015-11-24 Upstream report to NSIS with solution as patch to v2.46
             http://sourceforge.net/p/nsis/bugs/1125/
* 2015-11-24 Report to Debian as Gpg4win upstream provider of NSIS:
             https://bugs.debian.org/806036
* 2015-11-25 Fix released with Gpg4win 2.3.0.

== Additional information

On 2015-10-28: A public report of similar problems with a Mozilla 
installer component went to http://seclists.org/fulldisclosure/2015/Oct/109 .

Microsoft has published a number of reports about "DLL preloading"
or path traversal problems. 

More technical details are available via the provided links.
As Gpg4win is Free Software which is developed in the open,
the source code of the used installer is publicly available 
and may be inspected for details of the fix.

Advisory compiled by: Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151125/98d1fad2/attachment.sig>


More information about the Gpg4win-users-en mailing list