Possible security vulnerability in Windows installer

[davidpanderson]

(from a user email)

boinc_7.8.3_windows_intelx86.exe, available from
https://boinc.berkeley.edu/dl/boinc_7.8.3_windows_intelx86.exe
via http://boinc.berkeley.edu/download.php, is vulnerable to DLL
hijacking: it loads multiple Windows system DLLs from its
"application directory", typically the user's "Downloads" directory
"%USERPROFILE%\Downloads", instead from Windows "system directory"
%SystemRoot%\System32\

On a fully patched Windows 7 SP1, these are at least the following
DLLs:
uxtheme.dll or dwmapi.dll, version.dll, ntmarta.dll, msi.dll

The vulnerability and attack are well-known and well-documented:
see https://cwe.mitre.org/data/definitions/426.html
and https://cwe.mitre.org/data/definitions/427.html
plus https://capec.mitre.org/data/definitions/471.html

Also see
https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html
and
http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html

The embedded "application manifest" specifies "requireAdministrator",
so boinc_7.8.3_windows_intelx86.exe and all the DLLs it loads are
run with administrative privileges: an attacker who is able to place
one of the above named DLLs in the user's "Downloads" directory, for
example per "drive-by download", gains elevation of privilege.

Proof of concept/demonstration:

1- Follow the instructions from
   <https://skanthak.homepage.t-online.de/minesweeper.html>
   and build forwarder DLLs for the DLLs named above.

2- Place these DLLs in your "Downloads" directory.

3- Download
   <https://boinc.berkeley.edu/dl/boinc_7.8.3_windows_intelx86.exe>
   and save it in your "Downloads" directory.

4- Start boinc_7.8.3_windows_intelx86.exe: notice the message boxes
   displayed from the DLLs!


FIX:
~~~~

DUMP the vulnerable executable installer, provide an .MSI instead!

See <https://skanthak.homepage.t-online.de/!execute.html>