Jump to content


Photo

Eddie Windows installer - Vulnerability disclosure - ​NSIS bug 1125


  • Please log in to reply
1 reply to this topic

#1 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7704 posts

Posted 21 July 2018 - 02:10 PM

Hello!
 
Vulnerability affecting Eddie for Windows installing packages downloaded earlier than Tue May 15 12:51:22 UTC 2018 in already compromised systems.
 
Any other package type for Windows and any package type for any Operating System is not and has never been affected.
 
Eddie Windows NSIS installers have three vulnerabilities described in ​NSIS bug 1125. The most serious of these issues (#1) allows running unsolicited code and an escalation of privilege attack using DLL Search Order Hijacking (​CAPEC-471) as Eddie Windows installers are generally executed with Admin privileges. What NSIS/Windows does is actually prefer loading DLLs in the current directory, which in case of the Downloads folder is writable by the user. Thus the vulnerability is trivial to exploit, but only if the attacker has already managed to get a malicious DLL into user's Downloads folder
https://sourceforge.net/p/nsis/bugs/1125/
 
This issue was brought to our attention by Kushal Arvind Shah of Fortinet's FortiGuard Labs
on May 14, 2018 and fixed by us Tue May 15 12:51:22 UTC 2018 in any Eddie 2.13.* Windows installer releases and above. Download of older versions has been disabled.
 
Side note: any Eddie version older than 2.13.6 for any system has now been removed from the download list. Such versions are obsolete and the removal complies to security considerations as well as compatibility considerations with the developments of the respective Operating Systems.

#2 5YmkoLQZ

5YmkoLQZ

    Advanced Member

  • Members2
  • PipPipPip
  • 209 posts

Posted 21 July 2018 - 06:01 PM

Nicely done by the fortinet guys for identifying and reporting the issue and to the developers for fixing the issue. The good news is that it had to be a targetted attack for it to work which would be improbable to happen to 99.99999% of users.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 13143 - BW: 48462 Mbit/sYour IP: 3.80.218.53Guest Access.