| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201610141228.u9ECSYw2009202@sf01web3.securityfocus.com> Date: Fri, 14 Oct 2016 12:28:34 GMT From: mehta.himanshu21@...il.com To: bugtraq@...urityfocus.com Subject: Evernote for Windows DLL Loading Remote Code Execution Vulnerability Aloha, Summary Evernote contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. The vulnerability exists due to some DLL file is loaded by 'Evernote_6.1.2.2292.exe' improperly. And it allows an attacker to load this DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge. Affected Product: Evernote 6.1.2.2292 Fixed in: Evernote for Windows 6.3 WINNOTE-15637 https://evernote.com/security/updates/ Tested on: Windows 7 Impact Attacker can exploit this vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. This may help attacker to Successful exploit the system if user creates shell as a DLL. Vulnerability Scoring Details The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Create a malicious 'dwmapi.dll' or 'ntmarta.dll' file and save it in your "Downloads" directory. 2. Download 'Evernote_6.1.2.2292.exe' from and save it in your "Downloads" directory. 3. Execute .exe from your "Downloads" directory. 4. Malicious dll file gets executed. Chao!! Himanshu Mehta
Powered by blists - more mailing lists