lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAO7W7wNsQgjg5DmwRMGXy2F1meX1i4ooSqYX8JsP58DU8E_N7g@mail.gmail.com> Date: Fri, 25 Feb 2022 12:28:50 +0800 From: "YEUNG, Tsz Ko" <tkoyeung@...nect.hku.hk> To: fulldisclosure@...lists.org Subject: [FD] Disclosure of DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4 Hi all, I would like to disclose the DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4 Details as below: Vulnerable Software and Version: 1. Technitium Installer v4.4 Vulnerable software download link: https://technitium.com/tmac/ Date discovered and reported: 25 Feb 2022 Description: Technitium Installer v4.4 is suffering from DLL Hijacking by placing x86 SXS.dll in the same directory as the installer , which could cause arbitrary code execution and privilege escalation since the installer requires admin right to run by design. The installer is actually looking for below DLLs in the same directory as the insatller but then only SXS.dll is tested and hijacked successfully 1. SXS.dll 2. MSVBVM60.dll 3. VCRUNTIME140.dll Attack vector: Taking SXS.dll as an example, placing the malcious crafted dll in the same directory as the installer and whenever a user click the installer, arbitrary code execution and privilege escalation could be achieved. PoC code of dll can be found in my repository Attack steps: 1. Craft and drop a malicious DLL named as "SXS.dll" with entry point DllMain [image: image] <https://user-images.githubusercontent.com/21979646/155653240-ef58e64b-802e-4268-a9a6-cc8e74c576c0.png> 2. Double click the executable, administrator privilege is required to run 3. Malicious DLL has been called and an admin shell can be obtained as PoC [image: image] <https://user-images.githubusercontent.com/21979646/155653291-16145a65-ccdc-4461-a328-f6dc277e4d54.png> Reference link of the report in github: https://github.com/ScriptIdiot/DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4 Thanks and regards, James Tsz Ko Yeung _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists