DLL Hijacking In F-Secure Installers

When installing F-Secure SAFE and looking for NAME NOT FOUND results in Procmon, I noticed a process named “rm.exe” trying to load DLLs from C:\Windows\Temp:


It turns out that the F-Secure SAFE installer is writing rm.exe to C:\Windows\Temp and then executing it. The rm.exe process then tries to load several DLLs. The Windows DLL search order dictates that a process will first look for DLLs in the directory from which it is loaded; in this case, C:\Windows\Temp, which is a globally writeable location. By creating the file C:\Windows|Temp\OLEACC.dll as a non-admin user and then running the installer as an admin user, I was able to confirm that my DLL was loaded and executed by rm.exe with administrator privileges.

I reported this issue to the F-Secure security team along with the recommendation that they move the rm.exe process to a folder with stronger DACLs. They did this by moving rm.exe to a folder inside %temp%, preventing a low-privileged user from writing DLLs anywhere in the process’ DLL search order.

This vulnerablility affected multiple F-Secure products. For the full listing see the F-Secure security advisory

Written on May 5, 2019