Vigil@nce - Flexera InstallShield, JRSoft Inno Setup: code execution via DLL-planting
July 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious DLL for Flexera InstallShield
or JRSoft Inno Setup, in order to run code with administrator
privileges.
Impacted products: Tivoli Storage Manager, WebSphere MQ, Notes.
Severity: 2/4.
Creation date: 09/05/2016.
Revisions dates: 02/06/2016, 06/07/2016.
DESCRIPTION OF THE VULNERABILITY
The products Flexera InstallShield and JRSoft Inno Setup are used
to create installation program for software packages.
In some cases, the generated programs load extension modules the
name and possible locations depend on the considered package.
However, in some cases, the installer looks for these extension
DLL in folders which are writeable by unprivileged users, while
the installation program that loads and run this DLL is expected
to be run by an administrator. One should note that these
installers are expected to be run only a few times, so
possibilities of exploit attempts are rare.
An attacker can therefore create a malicious DLL for Flexera
InstallShield or JRSoft Inno Setup, in order to run code with
administrator privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN