Re: Bug#806036: Privilege escalation and code execution vulnerabilities in generated NSIS installers

To: 806036@bugs.debian.org, Debian Security Team <team@security.debian.org>, debian-boot@lists.debian.org
Subject: Re: Bug#806036: Privilege escalation and code execution vulnerabilities in generated NSIS installers
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Tue, 15 Dec 2015 11:53:46 +0100
Message-id: <[🔎] 2206886.Gyj8rMojLd@odyx.org>
In-reply-to: <12821245.Rpr7mh2zD5@esus>
References: <12821245.Rpr7mh2zD5@esus>

Dear Security Team,
Dear Debian-Boot,

Andre has reported this bug on Nov 24, and I've now uploaded the new 
NSIS version to unstable that fixes this bug.

In Debian, there's at least one NSIS installer shipped in packages: 
win32-loader, that is shipped on our CDs and from the mirrors.

Would it be useful to upload a fixed NSIS to {oldold,old,}stable, and 
rebuild win32-loader on all affected suites?

Cheers,

OdyX

Le mardi, 24 novembre 2015, 16.18:57 Andre Heinecke a écrit :
> Installers generated by NSIS 2.46 are vulnerable to attacks that can
> lead to code execution and privilege escalation (if the installer is
> running with elevated privileges).
> 
> This has been reported to us at Gpg4win (www.gpg4win.org) which is
> built under Debian GNU/Linux. We saw no other option to mitigate the
> attacks then to patch our version of NSIS.
> 
> We've also reported this upstream today:
> https://sourceforge.net/p/nsis/bugs/1125/
> 
> Background: Windows loads Libraries that are not "Known DLL's" from
> the directory of the executable first. As NSIS uses direct loading
> though LoadLibrary / LoadLibraryEx system calls, and links a not
> "Well Known" library (version.dll) placing Libraries with standard
> names like shfolder.dll or version.dll in the same Folder as an NSIS
> Installer (usually the Downloads folder) will load those libraries in
> the context of the installer. An attacker could cause these Libraries
> to be executed in the context of the installer.
> 
> This is especially problematic for signed Installers and Installers
> that require Elevated (Administrator) Privileges for installation. As
> this bypasses the signature validation and can be used for a
> privilege escalation.
> 
> Additionally NSIS uses an insecure temporary directory that can be
> modified with normal User access rights in case of an elevated
> installation. This can be used to modify plugins in that directory
> which then will be loaded with higher privileges. There is also a
> temporary file race on uninstallation where the uninstaller is copied
> into a temporary directory and afterwards executed with elevated
> privileges.
> 
> More details and descriptions about how we mitigate these attacks are
> available in the NSIS bug report.
> 
> Attached are the patches we are planning to use with NSIS to prepare
> our next gpg4win release. They can be applied in the Order of their
> names to the debian version of NSIS and compile on wheezy and jessie.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Bug#808007: [PATCH] s390-dasd: check if DASD is already online
Next by Date: Processed: tagging 808007
Previous by thread: Bug#808007: [PATCH] s390-dasd: check if DASD is already online
Next by thread: Processed: tagging 808007
Index(es):
- Date
- Thread