Kaspersky Privacy Cleaner DLL Hijacking

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 549

Hi @ll,

Kaspersky's Privacy Cleaner, CleanerSetup.exe, previously available
from <https://www.kaspersky.com/free-pc-cleaner> or
<https://free.kaspersky.com/> h Hi @ll,

Kaspersky's Privacy Cleaner, CleanerSetup.exe, previously available
from <https://www.kaspersky.com/free-pc-cleaner> or
<https://free.kaspersky.com/> has the usual vulnerabilities which
almost all executable installers exhibit, plus some more:

#0: download over insecure channel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Both web pages initiated the download of CleanerSetup.exe via
<https://www.kaspersky.com/downloads/thank-you/free-pc-cleaner> from
<http://devbuilds.kaspersky-labs.com/Fast/KCLEANER/CleanerSetup.exe>
over an insecure channel: a MITM could easily intercept the connection
and send arbitrary executables to the unsuspecting downloaders, spoof
the DNS for the download server, ...

CAVEAT: several cheap skate sites like cnet.com still offer
CleanerSetup.exe for download!

<http://devbuilds.kaspersky-labs.com/Fast/KCLEANER/> not only hosted
CleanerSetup.exe, but the installation package cleaner.msi too, which
CleanerSetup.exe downloaded (see #3 below).

#1: arbitrary (remote) code execution WITH escalation of privilege
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On a fully patched Windows 7 SP1 CleanerSetup.exe loads and executes
the following Windows system DLLs from its "application directory"
instead Windows' "system directory" %SystemRoot%System32:
MSImg32.dll, UXTheme.dll, Version.dll, RichEd20.dll, MSI.dll,
Secur32.dll, SLC.dll, IPHlpAPI.dll, WinNSI.dll,
API-ms-win-downlevel-shlwapi-l2-1-0.dll, RASAPI32.dll,
RASMan.dll, RTUtils.dll, CryptSP.dll, RPCRTRemote.dll,
DNSAPI.dll, DHCPSvc.dll, DHCPSvc6.dll, RASADHlp.dll, BCrypt.dll,
PropSys.dll, NetUtils.dll, SrvCli.dll, WksCli.dll, MSIHnd.dll

On other versions of Windows this list changes, but CleanerSetup.exe
always loads and executes some DLLs from the "application directory".

This weakness is well-known and well-documented:
see <https://cwe.mitre.org/data/definitions/426.html>
and <https://cwe.mitre.org/data/definitions/427.html>
plus <https://capec.mitre.org/data/definitions/471.html>.

See <https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> for
mitigations of this beginner's error.

For software downloaded with a web browser the "application
directory" is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>

If an attacker places one of the DLLs named above in the users
"Downloads" directory (for example per drive-by download, social
engineering, ...) this vulnerability becomes a remote code execution
WITH escalation of privilege.

Thanks to the embedded application manifest of the vulnerable
installer which specifies "requireAdministrator" the DLLs entry
points are called with administrative rights: PWNED!

#2: unsafe %TEMP% directory
~~~~~~~~~~~~~~~~~~~~~~~~~~~

CleanerSetup.exe creates a subdirectory in %TEMP% where it downloads
"cleaner.msi" to.
This subdirectory inherits the access rights from its parent %TEMP%,
so an unprivileged attacker^Wuser can replace the downloaded .MSI
before it is opened by MSIEXEC.exe and let MSIEXEC.exe then perform
arbitrary actions under the SYSTEM account via the replaced *.MSI

See <https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> for this
well-known and well-documented weakness.

#3: download over insecure channel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CleanerSetup.exe uses HTTP to fetch
<http://devbuilds.kaspersky-labs.com/Fast/KCLEANER/verinfo.txt> and
<http://devbuilds.kaspersky-labs.com/Fast/KCLEANER/cleaner.msi>,
allowing an MITM attack.

Since CleanerSetup.exe performs no integrity checks on the downloaded
files any tampering goes unnoticed.

#4: the update checker/installer uses the same insecure procedure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Once installed, Kaspersky Privacy Cleaner checks for updates just
like CleanerSetup.exe via insecure channel, downloads them via
insecure channel, performs no integrity checks, ...

stay tuned
Stefan Kanthak

PS: I second Eugene Kaspersky's statement
<https://eugene.kaspersky.com/2017/07/25/kl-av-for-free-secure-the-whole-world-will-be/>
on the miserability of traditional freebies and "security" products:

| There are a lot of users who don't have the ~$50 to spend on premium
| protection; therefore, they install traditional freebies (which have
| more holes than Swiss cheese for malware to slip through) or they even
| rely on Windows Defender (ye gods!).

Stop bragging, your own company's products and freebies are as bad
as those made by other snakeoil^WSwiss cheese makers!

PPS: also see Will Dormann's post
<https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html>