lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAO7W7wNpjMnP+Gd6uob9ug5166t5v+ApHKi_EPPjfA3UgrhR2w@mail.gmail.com>
Date: Fri, 25 Feb 2022 00:39:11 +0800
From: "YEUNG, Tsz Ko" <tkoyeung@...nect.hku.hk>
To: fulldisclosure@...lists.org
Subject: [FD] CVE request for the DLL-Hijacking vulnerability found in
 ToolBox-V1.010.0000000.0 from Dahua Technologies

Hi all,

I have actually contacted Dahua PSIRT team and they confirmed the
vulnerability exists few days ago but then since this product is not in
that scope on requesting CVE and therefore I am going to disclose the
details here:

Vulnerable Software and Version:
ToolBox-V1.010.0000000.0 (versions prior to this are probably vulnerable
but just tested against V1.010.0000000.0)

Vulnerable software download link:
https://www.dahuasecurity.com/support/downloadCenter/tools/MaintenanceTools

Date reported to Dahua:
20 Feb 2022

Date of issue acknowledgement and finding validated from Dahua PSIRT team:
22 Feb 2022

Description:
The ToolBox-V1.010.0000000.0 is suffering from DLL hijacking which allows
arbitrary code execution and even privilege escalation when a malcious dll
name as "DHLog.dll" is dropped to followng folders during my research, PE
could be achieved since the exeutable has to be run with administrator
privilege by design.

Attack vector:
A malicious x86 dll named as "DHLog.dll" has to be dropped in ANY of the
following folders, which depends on what softwares have been installed in
the target windows machine

   1. C:\Users\User\AppData\Local\Microsoft\WindowsApps (*Pre-installed in
   every windows)
   2. C:\Users\User\AppData\Local\Programs\Python\Python38\Scripts (Only
   Applicable when users have installed python in their windows machine)
   3. C:\Users\User\AppData\Local\Programs\Python\Python38\ (Only
   Applicable when users have installed python in their windows machine)

PoC code of dll can be found in this repository

Attack steps:

   1. Craft and drop a malicious DLL named as "DHLog.dll" with entry point
   DllMain
   2. Double click the executable "ToolBox", administrator privilege is
   required to run
   3. Malicious DLL has been called and an admin shell can be obtained as
   PoC
   4.  [image: image]
   <https://user-images.githubusercontent.com/21979646/155094255-095563ec-b353-4a9e-ab91-71c96cdd6366.png>


Detail Report can be found here:
https://github.com/ScriptIdiot/DLL-Hijacking-PoC-of-ToolBox-V1.010.0000000.0

Kindly let me know if further input is required. Thanks!

Kind regards,
James Tsz Ko Yeung

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ