| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Feb 2022 00:39:11 +0800 From: "YEUNG, Tsz Ko" <tkoyeung@...nect.hku.hk> To: fulldisclosure@...lists.org Subject: [FD] CVE request for the DLL-Hijacking vulnerability found in ToolBox-V1.010.0000000.0 from Dahua Technologies Hi all, I have actually contacted Dahua PSIRT team and they confirmed the vulnerability exists few days ago but then since this product is not in that scope on requesting CVE and therefore I am going to disclose the details here: Vulnerable Software and Version: ToolBox-V1.010.0000000.0 (versions prior to this are probably vulnerable but just tested against V1.010.0000000.0) Vulnerable software download link: https://www.dahuasecurity.com/support/downloadCenter/tools/MaintenanceTools Date reported to Dahua: 20 Feb 2022 Date of issue acknowledgement and finding validated from Dahua PSIRT team: 22 Feb 2022 Description: The ToolBox-V1.010.0000000.0 is suffering from DLL hijacking which allows arbitrary code execution and even privilege escalation when a malcious dll name as "DHLog.dll" is dropped to followng folders during my research, PE could be achieved since the exeutable has to be run with administrator privilege by design. Attack vector: A malicious x86 dll named as "DHLog.dll" has to be dropped in ANY of the following folders, which depends on what softwares have been installed in the target windows machine 1. C:\Users\User\AppData\Local\Microsoft\WindowsApps (*Pre-installed in every windows) 2. C:\Users\User\AppData\Local\Programs\Python\Python38\Scripts (Only Applicable when users have installed python in their windows machine) 3. C:\Users\User\AppData\Local\Programs\Python\Python38\ (Only Applicable when users have installed python in their windows machine) PoC code of dll can be found in this repository Attack steps: 1. Craft and drop a malicious DLL named as "DHLog.dll" with entry point DllMain 2. Double click the executable "ToolBox", administrator privilege is required to run 3. Malicious DLL has been called and an admin shell can be obtained as PoC 4. [image: image] <https://user-images.githubusercontent.com/21979646/155094255-095563ec-b353-4a9e-ab91-71c96cdd6366.png> Detail Report can be found here: https://github.com/ScriptIdiot/DLL-Hijacking-PoC-of-ToolBox-V1.010.0000000.0 Kindly let me know if further input is required. Thanks! Kind regards, James Tsz Ko Yeung _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists