The official uninstallers that Adobe supplied for those wishing to remove the Flash plugin from their Windows installation have for some time been supplying hackers with a ‘privilege escalation’ attack vector.
It’s an ironic revelation, since anyone using an uninstaller is likely to be running it for security reasons.
The vulnerability was discovered by security researcher Stefan Kanthak and its progress with Adobe reported via Seclists. According to Kanthak the executable uninstallers prior to versions 22.214.171.124 and 126.96.36.1990, which were both released on the 15th of June, were vulnerable to DLL hijacking, since they load and run Windows system DLLs from the Flash application directory instead of the more heavily protected Windows system directory.
Kanthak describes the coding goof as a ‘well-documented beginner’s error’, and even points to the documentation that outlines the problem: which is that the process which loads a DLL first looks for it in the folder where it is itself residing, instead of defaulting to a system directory, meaning that a hacker able to exploit the process can run their own DLLs without a search for the valid versions which are in the correct place. This assumes, of course, that the attacker has been able to save DLLs locally, but this is a common procedure in many valid install routines.
The Adobe Flash uninstallers (which have now been patched) are executed with the requirement for administrator privileges, and once granted, the escalation is accomplished. The vulnerability was present in both the 32-bit and 64-bit versions of the Adobe uninstaller.
Kanthak first reported the vulnerability to Adobe in March, and the company’s first patch for the exploit was issued the following month. However the patched version contained the same vulnerability, but simply loaded different DLLs.
Finally Adobe released another revised patch on Wednesday, and this has resolved the issue, according to the report.