Hi @ll,

this multipart post does not require a MIME-compliant MUA.-)

Part 0:
~~~~~~~

On Windows 7 (other versions of Windows not tested for this
vulnerability, but are likely vulnerable too) all executable
installers/self-extractors based on Microsoft's SFXCAB [*]
load and execute a rogue CryptDll.dll from their application
directory instead of %SystemRoot%\System32\CryptDll.dll.


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior
art" about this well-known and well-documented vulnerability;
also see <https://cwe.mitre.org/data/definitions/426.html>
and <https://cwe.mitre.org/data/definitions/427.html>
plus <https://capec.mitre.org/data/definitions/471.html>

If an attacker places CryptDll.dll in the user's "Downloads"
directory (for example per "drive-by download" or "social
engineering") this vulnerability becomes a remote code execution.

The application manifest embedded in many/most of these
executables specifies "requireAdministrator", so execution of
CryptDll.dll results in an escalation of privilege then!


Proof of concept/demonstration:

1. Download <http://home.arcor.de/skanthak/download/CRYPTDLL.DLL>
   and save it in your "Downloads" directory;

2. Download an arbitrary executable installer/self-extractor based
   on SFXCAB [*] from the Microsoft Download Center and save it in
   your "Downloads" directory, for example:

   2.a MSEInstall.exe via
       <https://www.microsoft.com/en-us/download/details.aspx?id=5201>

   2.b mssstool32.exe via
       <http://go.microsoft.com/fwlink/?LinkID=234123>

   2.c ImagePackage32.exe via
       <http://go.microsoft.com/fwlink/?LinkID=267537> or
       <http://go.microsoft.com/fwlink/?LinkID=232568>

   2.d VCRedist_x86.exe via
       <https://www.microsoft.com/en-us/download/details.aspx?id=40784>
       <https://www.microsoft.com/en-us/download/details.aspx?id=30679>
       <https://www.microsoft.com/en-us/download/details.aspx?id=8328>
       <https://www.microsoft.com/en-us/download/details.aspx?id=5555>
       ...

   2.e VC-Compiler-KB2519277.exe via
       <http://www.microsoft.com/en-us/download/details.aspx?id=4422>

   (several hundred to thousand vulnerable installers omitted ...)

   2.zzz
       Silverlight.exe via
       <http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx>

3. Run any executable installer/self-extractor based on SFXCAB from
   your "Downloads" directory;

4. Notice the message boxes displayed from CryptDll.dll downloaded
   in step 1: PWNED!


Response from Microsoft's Security Response Center:

| Upon investigation this application directory binary planting
| issue does not meet the bar for security servicing.


See but CVE-2016-0014 alias MS16-007, CVE-2014-0315 alias MS14-019,
CVE-2015-8264, CVE-2016-1281, CVE-2016-0603, CVE-2016-0602 and many
more fixed vulnerabilities of exactly this kind!


Part 1: MSRC case 31723
~~~~~~~~~~~~~~~~~~~~~~~

On all supported versions of Windows the AntiMalware Definition
Updaters MPAM-D.exe and MPAM-FE[x64].exe
(see <https://support.microsoft.com/en-us/kb/935934>,
<https://technet.microsoft.com/en-us/library/gg398041.aspx> and
<https://www.microsoft.com/security/portal/definitions/adl.aspx>)
load and execute a rogue Cabinet.dll from their application
directory instead of %SystemRoot%\System32\Cabinet.dll


Proof of concept/demonstration:

1. Download <http://home.arcor.de/skanthak/download/CABINET.DLL>
   and save it in your "Downloads" directory;

2. download MPAM-D.exe or MPAM-FE.exe and save it in your
   "Downloads" directory;

3. Run MPAM-D.exe or MPAM-FE.exe;

4. Notice the message boxes displayed from Cabinet.dll downloaded
   in step 1: PWNED!


Response from Microsoft's Security Response Center:

| Since this requires a user to run executables or installers from
| an untrusted location it does not meet the bar for servicing via
| bulletin.


Apparently the MSRC never read the instructions given on
<https://www.microsoft.com/security/portal/definitions/adl.aspx>

| Antimalware and antispyware updates
...
| To download these updates:
| 1. Check whether your version of Windows is 32-bit or 64-bit.
| 2. In the table below, right-click on the link that will work
|    for your version of Windows and choose Save target as... or
|    Save link as...
| 3. Save the file to your Desktop.
| 4. When the file has finished downloading, go to your Desktop
|    and double-click the file (it will be called mpam-fe.exe,
|    mpas-fe.exe, or mpam-feX64.exe).
| 5. Follow the prompts to install the update.

and considers the "Desktop" an trusted location, despite
<https://support.microsoft.com/en-us/kb/959426> alias
<https://technet.microsoft.com/en-us/library/ms09-014.aspx> plus
<https://blogs.technet.com/b/srd/archive/2009/04/14/ms09-014-addressing-the-safari-carpet-bomb-vulnerability.aspx>,
<https://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx>
and 
<https://blogs.technet.com/b/srd/archive/2010/08/31/an-update-on-the-dll-preloading-remote-attack-vector.aspx>


Part 2: MSRC case 32352
~~~~~~~~~~~~~~~~~~~~~~~

On Windows 7 (other versions of Windows not tested for this
vulnerability, but are likely vulnerable too) LoadLibrary("URL.dll")
as well as LoadLibrary("C:\Windows\System32\URL.dll) load and execute
a rogue OLEAcc.dll from the application directory of the calling
program instead of %SystemRoot%\System32\OLEAcc.dll.


Proof of concept/demonstration:

Adapt the PoC from part 3.

JFTR: URL.dll is a load-time dependency of quite some other DLLs
      and programs!


Part 3: MSRC case 32432
~~~~~~~~~~~~~~~~~~~~~~~

On Windows XP and its still (til April 2019) serviced cousin
Windows Embedded POSReady 2009 LoadLibrary("CryptUI.dll") as
well as LoadLibrary("C:\Windows\System32\CryptUI.dll") load
a rogue RichEd20.dll from the application directory of the
calling program instead of %SystemRoot%\System32\RichEd20.dll


Proof of concept/demonstration:

1. Compile and link the following program as CryptUI.exe:

    #include <windows.h>

    void WinMainCRTStartup(void)
    {
        HMODULE hModule = INVALID_HANDLE_VALUE;
        if ((hModule = LoadLibrary("CryptUI.dll")) == NULL)
            ExitProcess(GetLastError());
        if (!FreeLibrary(hModule))
            ExitProcess(GetLastError());
        ExitProcess(0L);
    }

   or download the compiled program from
   <http://home.arcor.de/skanthak/temp/CRYPTUI.EXE>, then save
   it in your "Downloads" directory;

2. Download <http://home.arcor.de/skanthak/download/RICHED20.DLL>
   and save it in your "Downloads" directory;

3. Run CryptUI.exe;

4. Notice the message boxes displayed from RichEd20.dll downloaded
   in step 2: PWNED!

JFTR: CryptUI.dll is a dependency of quite some other DLLs, for
      example ShDocVw.dll and URL.dll.


Response from Microsoft's Security Response Center:

| This is an application directory behavior and it does not
| currently meet the bar for a security servicing update.


Of course Microsoft's own documentation advises how to avoid
these bloody beginner's errors: see
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:

| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library
    ~~~~~~
|   location is constant.


Part 4: MSRC case 32250
~~~~~~~~~~~~~~~~~~~~~~~

On Windows 7, Windows XP and its still (til April 2019) serviced
cousin Windows Embedded POSReady 2009 (other versions of Windows
not tested for this vulnerability, but are likely vulnerable too)
ShellExecuteEx() and ShellExecute() load and execute several DLLs
from the application directory of the calling program instead the
system directory %SystemRoot%\System32\


Proof of concept/demonstration:

1. Compile and link the following program as ShlExecX.exe:

    #include <windows.h>
    #include <shellapi.h>
    #include <objbase.h>

    void WinMainCRTStartup(void)
    {
        HRESULT hr = S_OK;
        DWORD dwError = ERROR_SUCCESS;
        SHELLEXECUTEINFO sei = {sizeof(sei)};
        if ((hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED
                                     | COINIT_DISABLE_OLE1DDE)) != S_OK)
            dwError = hr;
        else
        {
            sei.fMask = SEE_MASK_FLAG_DDEWAIT;
            sei.nShow = SW_SHOWNORMAL;
            sei.lpFile = ".";        // try "*" or other names too!
            sei.lpVerb = NULL;
            if (!ShellExecuteEx(&sei))
                dwError = GetLastError();
        }
        CoUninitialize();
        ExitProcess(dwError);
    }

   or download the compiled program from
   <http://home.arcor.de/skanthak/temp/SHLEXECX.EXE>
   and save it in your "Downloads" directory;

   An alternative version which calls ShellExecute() instead of
   ShellExecuteEx() is available as
   <http://home.arcor.de/skanthak/temp/SHLEXEC.EXE>

2. Download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   and save it as DWMAPI.dll in your "Downloads" directory,
   then copy it as SetupAPI.dll, COMRes.dll and ClbCatQ.dll;

3. Download <http://home.arcor.de/skanthak/download/WTSAPI32.DLL>,
   <http://home.arcor.de/skanthak/download/UXTHEME.DLL>,
   <http://home.arcor.de/skanthak/download/RICHED20.DLL> and
   save them in your "Downloads" directory;

4. Run ShlExecX.exe or ShlExec.exe;

5. Notice the message boxes displayed from the DLLs downloaded
   in steps 2 and 3: PWNED!


No response from Microsoft's Security Response Center since 10 weeks!
No answer to a status request since 10 days.


stay tuned
Stefan Kanthak


[*] executable installers/self-extractor based on SFXCAB.EXE may
    be identified via their embedded manifest (resource type 24,
    resource id 1):

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="sfxcab.exe" type="win32">
                                                                  ~~~~~~~~~~~~~~~~~
  </assemblyIdentity>
  <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
      <ms_asmv2:security>
         <ms_asmv2:requestedPrivileges>
            <ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false">
            </ms_asmv2:requestedExecutionLevel>
         </ms_asmv2:requestedPrivileges>
      </ms_asmv2:security>
   </ms_asmv2:trustInfo>
</assembly>

    or

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="6.3.18.0" processorArchitecture="X86" name="sfxcab" type="win32">
                                                                   ~~~~~~~~~~~~~
  </assemblyIdentity>
  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
    </application>
  </compatibility>
  <description>setup</description>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false">
        </requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>