IP Messenger Installer vulnerability of DLL loading without intent

Create: 2017/07/31
Update: 2017/08/03
H.Shirouzu

Overview

IP Messenger Installer(v4.60 or earlier) has vulnerability of DLL loading without intent.
If this vulnerability is exploited, there is a risk that arbitrary code will be executed during the execution of the installer.

Affected version

IP Messenger Installer v4.60 or earlier.

Solution

Please use IP Messenger Installer v4.61 or later.

Occurrence condition

1) Restore the installer executable file in the installer zip archive to the folder where the malicious DLL is placed.
2) Execute the installer and press "start" button

Remarks: It will not be affected if it is executed directly from the explorer zip folder or when it is executed after restoring with folder.

Technical details

Even if it is not written "DLL reading without absolute path" in the source code, it is automatically internally executed "DLL reading without absolute path" at some WinAPI or COM I/F called.
This is the reason of IP Messenger Installer vulnerability.

(*) I confirmed in Win10Pro and found in the following.

1) ShellExecute API will load "urlmon.dll" without absolute path internally.
2) IShellLink(create shortcut or etc) COM will load a dll without absolute path internally.

Related information

I will add the link to Public institution press at 2017/08/04. JVN#86724730 https://jvn.jp/en/jp/JVN86724730/
JPCERT Coordination Center http://www.jpcert.or.jp/english/
IPA http://www.ipa.go.jp/index-e.html

History

2017/08/03: Add JVN Number and related links because JPCERT announced about this vulnerability.

Top Page