lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 14 Jul 2021 11:35:13 +0800
From: houjingyi <>
Subject: [FD] VMware ThinApp DLL hijacking vulnerability

A few months ago I disclosed IBM(R) Db2(R) Windows client DLL
Hijacking Vulnerability(0day) I found:

In that post I mentioned the vulnerability did not get fully patched.

After I told IBM on hackerone that I disclosed it, hackerone asked me
to delete the post, IBM apologized and fully patched the

But this is not the point today. I found a similar problem in

After install the software create C:\DummyTLS and rename a dll you
want to load to dummyTLS.dll and put it to C:\DummyTLS\dummyTLS.dll.

Run "C:\Program Files (x86)\VMware\VMware ThinApp\Setup Capture.exe"
and C:\DummyTLS\dummyTLS.dll will be loaded.
(other exe like log_monitor.exe/snapshot.exe vulnerable too).

This is also because they use code like:

LoadLibraryExW(L"\\DummyTLS\\dummyTLS.dll", 0, 0);

In short, Windows will treat relative path in LoadLibrary(and many
other functions) as the path rooted relative to the current disk

Let us look into code in ntdll.dll. The logic here is:
In LdrpPreprocessDllName after calling
RtlDetermineDosPathNameType_Ustr it will return 4(RtlPathTypeRooted).

And after calling LdrpGetFullPath we get "C:\DummyTLS\dummyTLS.dll"!

You should not call LoadLibrary with the relative path. In fact, using
relative path is dangerous in many cases.

This was fixed in 2021-07-13 as CVE-2021-22000 and the advisory is
here :

For these vulnerabilities I will post a summary at

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists