Hi @ll,

several of Microsoft's Sysinternals utilities extract executables
to %TEMP% and run them from there; the extracted executables are
vulnerable to DLL hijacking, allowing arbitrary code execution in
every user account and escalation of privilege in "protected
administrator" accounts [*].

* CoreInfo.exe:
  extracts on x64 an embedded CoreInfo64.exe to %TEMP% which loads
    %TEMP%\VERSION.DLL (on Windows Vista and newer)
  and executes it with the callers credentials.

* Disk2VHD.exe:
  extracts on Windows 2003 and newer, both x86 and x64, an embedded
  Disk2VHD-tmp.exe to %TEMP% which loads
    %TEMP%\UXTHEME.DLL
    %TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes it with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003.

* DiskView.exe:
  extracts on x64 an embedded DiskView64.exe to %TEMP% which loads
    %TEMP%\UXTHEME.DLL
  and executes it with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003 and
  Windows XP.

* ProcMon.exe:
  extracts on x64 an embedded ProcMon64.exe to %TEMP% which loads
    %TEMP%\UXTHEME.DLL,
    %TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes it with the callers credentials.

* RAMMap.exe:
  extracts on x64 an embedded RAMMap64.exe to %TEMP% which loads
    %TEMP%\SETUPAPI.DLL (on Windows 2003),
    %TEMP%\UXTHEME.DLL,
    %TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes them with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003.

* VMMap.exe:
  extracts on x64 an embedded VMMap64.exe to %TEMP% which loads
    %TEMP%\CLBCATQ.DLL (on Windows 2003),
    %TEMP%\SETUPAPI.DLL (on Windows 2003),
    %TEMP%\UXTHEME.DLL,
    %TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes them with the callers credentials.

* ZoomIt.exe:
  extracts on x64 an embedded ZoomIt64.exe to %TEMP% which loads
    %TEMP%\SETUPAPI.DLL (on Windows 2003),
    %TEMP%\UXTHEME.DLL,
    %TEMP%\VERSION.DLL (on Windows Vista and newer)
  and executes them with the callers credentials.


See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://cwe.mitre.org/data/definitions/277.html>,
<https://cwe.mitre.org/data/definitions/379.html> and
<https://cwe.mitre.org/data/definitions/732.html> for these
WELL-KNOWN and WELL-DOCUMENTED vulnerabilities^Wbeginner's
errors!


Mitigations:
~~~~~~~~~~~~

* Don't use these vulnerable utilities (or other crapware
  which runs executables from unsafe directories like %TEMP%)!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
  <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak

[*] according to Microsoft's own SIR reports, more than half of
    the Windows installations which send telemetry data have only
    one active user account, i.e. some hundred million Windows
    installations are susceptible to this design bug!


Timeline:
~~~~~~~~~

2015-11-02    vulnerability report sent to author and vendor

              NO REPLY from author

2015-11-17    vendor replies, opens MSRC case 31724

2016-01-29    vendor replies, closes MSRC case 31724: WONTFIX

2016-08-11    report published