This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
eunmiko
Level 2
‎Jan 06, 2020 12:31 AM

The vulnerability is in the form of DLL Hijacking.

The installers try to load DLLs that don’t exist from its current directory;

For our Driver .exe, The installer tries to load a dll named “RICHED20.dll”. by doing so, he can quickly escalate its privileges.

Additional missing DLL List:

1.LZ32.dll

2. VERSION.dll

3. WINMM.dll

4. msi.dll

5. DNSAPI.dll

6. WINMMBASE.dll

7. PROPSYS.dll

8. RICHED32.dll

9. USP10.dll

10. msls31.dll

11. sfc_os.dll

Steps to reproduce:

1. Use DLL proxy to OS DLLs, I assume you don't need source code of an exploit doing that.

2. Place the malicious dll in the current directory of the installer

3. Finally, the installer tries to load DLLs from the current directory like RICHED20.dll for our Driver .exe and many more dlls that could also be hijacked.

Impact:

1. Privilege Escalation

2. DoS

Mitigation:

Don’t load DLLs from the current directory


We use installShield 2015 premier.

Do you know installShield  version resolved this security issue?

or this security issue still remains in the most recent   installShield  version?

Labels (1)
0 Kudos

(3) Replies
shunt
Revenera Moderator Revenera Moderator
Revenera Moderator
‎Jan 06, 2020 01:23 AM

Hi - this issue has been addressed in Installshield 2016 SP2 onwards. Full details of this can be found in the following link including hotfix's for earlier versions:

https://community.flexera.com/t5/InstallShield-Knowledge-Base/Windows-loads-a-different-library-or-launches-a-different/ta-p/4739

 

eunmiko
Level 2
In response to shunt
‎Jan 08, 2020 07:23 PM

Thank you for your answer.

Maybe this issue is resolved for all window environment in Installshield 2016 SP2 onwards?

This issue is not reproduced in clean window environment.

but it it reproduced in window installed security tool or vaccine.

Also is this considered depending on user PC environment ?

Please kindly let me know

 

0 Kudos
alexei567
Level 3
In response to eunmiko
‎Jan 09, 2020 03:30 AM

Get GoGPayslip your e payslip effectively and rapidly so you can go anyplace on versatile or PCs using the web. Is it accurate to say that it isn’t convenient.

 

GoGPayslip Login Ghana | Access Payslip Online 

0 Kudos