Skip to content

Vulnerability Disclosure 07 09 2021

Jump to bottom
Robert C. Maehl edited this page Jul 9, 2021 · 2 revisions

What happened?

On June 29th, while reviewing News Articles on WhyNotWin11, I came across borncity.com noting that a Stefan Kanthak had publicly disclosed that WhyNotWin11 was susceptible to DLL Hijacking and Privilege Escalation. While the exact details were not provided, the publicly disclosed information regarding the exploits was understandable. At that time, powershell was already being removed and admin rights had been reduced from a requirement to requested if available. Action was taken after this discovery to help mitigate the severity and easability of these attacks.

What were the attacks?

Relative calls by the script would check the Application Directory for binaries or dlls with the requested name, before checking the system directory. This would allow an attacker to plant a dll or binary they wanted to have admin rights in the same directory and WhyNotWin11 would execute or load them without question.

What's been done to fix it?

  • All calls to powershell have been removed
  • The application no longer requests admin rights in any form.
  • A security policy, specifically security.txt, has been added to the repository for additional issues to be easily reported
  • All script dll and program loading and executions now use exact paths, this does not affect any dll loading done by the AutoIt interpreter itself.
  • Any relative execution from SCRIPT UDFs (APIs) provided by AutoIt now execute in %WINDIR% which requires existing privilege from an attacker.

Is it fixed?

Per Stefan, Possibly Not, AutoIt itself may also being relative paths for DLL loading before the script is even parsed. While I am not able to verify this, I will err on the side of caution. Stefan appears to have a long history with this exploit type, and has found it in applications by Microsoft, Nvidia, McAfee, among others. Without a complete rewrite in a new language, it doesn't appear there's any way to work around this. The issue has been inquired about on the Official AutoIt forums, however no official response by the developers has been received. It should be noted that AutoHotKey also shares a similar codebase to AutoIt having forked off of an earlier build and is likely affected as well.

Am I infected?

Very Likely not, An existing malicious program would have to be on your system already, attempting to exploit this common vulnerability. I am not aware of any malicious software currently and specifically targeting WhyNotWin11.

What should I do?

  • Run WhyNotWin11 as a Standard Account only, not Administrator. (This is default)
  • If still uncomfortable, try another Open Source Windows 11 checker, however they likely have not been through a security review themselves.
  • If you are not already on at least build 2.3.0.2, it is recommend to upgrade to the latest build. Builds 2.3.0.2 and onwards contain all listed mitigations.
Clone this wiki locally