You are here

NSIS vulnerable to Dll hijacking SHFOLDER.DLL

3 posts / 0 new
Last post
FIlipe Oliveira
Offline
Last seen: 8 years 2 months ago
Joined: 2016-08-08 16:56
NSIS vulnerable to Dll hijacking SHFOLDER.DLL

I found out that NSISPortableANSI 2.5.1 loads a DLL (SHFOLDER) without supplying the absolute path, thus vulnerable to DLL Hijack. It may be possible for an attacker to place an arbitrary DLL in specific paths in order to execute malicious code in the context of the loading process.
I found this while analyzing wireshark portable and skype portable, the issue might affects other portable apps.

GaijinPanda
Offline
Last seen: 7 years 11 months ago
Joined: 2014-05-22 17:48
This is a valid concern, I don't understand the lack of response

I don't understand why nobody ever responds to serious and valid concerns like this? If the app/platform is not secure then it should be noted and something should be done.

John T. Haller
John T. Haller's picture
Offline
Last seen: 12 hours 16 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Download Folder

The vulnerability issue is mainly an issue as it concerns downloads in the Downloads folder due to the fact that Google Chrome and browsers based on it will allow any site to download infected DLLs directly to that folder without user interaction. Due to that fact, the PortableApps.com Installer has been using patched versions of NSIS since they were released to counteract that (starting with the NSIS 3 betas). It currently bundles NSIS 3 internally uses that to build .paf.exe installers, not NSIS Portable.

If your machine is already infected with arbitrary DLLs outside the Download directory, chances are it's already been fully compromised as local privilege escalation vulnerabilities are fairly common on Windows. There is still a risk of an app you've granted admin rights to falling prey to this issue specifically, though, which brings us to...

As for NSIS Portable itself, both the ANSI and Unicode releases are shortly being replaced by NSIS Portable 3 which is in testing. We're finalizing some of the conversion bits since this upgrade breaks a bunch of NSIS scripts: https://portableapps.com/node/55424

If you'd like to assist with progress, please help test.

Sometimes, the impossible can become possible, if you're awesome!

Log in or register to post comments