lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAO7W7wNsQgjg5DmwRMGXy2F1meX1i4ooSqYX8JsP58DU8E_N7g@mail.gmail.com>
Date: Fri, 25 Feb 2022 12:28:50 +0800
From: "YEUNG, Tsz Ko" <tkoyeung@...nect.hku.hk>
To: fulldisclosure@...lists.org
Subject: [FD] Disclosure of
	DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Hi all,

I would like to disclose
the DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Details as below:

Vulnerable Software and Version:

   1. Technitium Installer v4.4

Vulnerable software download link:
https://technitium.com/tmac/

Date discovered and reported:
25 Feb 2022

Description:
Technitium Installer v4.4 is suffering from DLL Hijacking by placing x86
SXS.dll in the same directory as the installer , which could cause arbitrary
code execution and privilege escalation since the installer requires admin
right to run by design.

The installer is actually looking for below DLLs in the same directory as
the insatller but then only SXS.dll is tested and hijacked successfully

   1. SXS.dll
   2. MSVBVM60.dll
   3. VCRUNTIME140.dll

Attack vector:
Taking SXS.dll as an example, placing the malcious crafted dll in the same
directory as the installer and whenever a user click the installer, arbitrary
code execution and privilege escalation could be achieved.

PoC code of dll can be found in my repository

Attack steps:

   1.

   Craft and drop a malicious DLL named as "SXS.dll" with entry point
   DllMain [image: image]
   <https://user-images.githubusercontent.com/21979646/155653240-ef58e64b-802e-4268-a9a6-cc8e74c576c0.png>
   2.

   Double click the executable, administrator privilege is required to run
   3.

   Malicious DLL has been called and an admin shell can be obtained as
PoC [image:
   image]
   <https://user-images.githubusercontent.com/21979646/155653291-16145a65-ccdc-4461-a328-f6dc277e4d54.png>

Reference link of the report in github:
https://github.com/ScriptIdiot/DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Thanks and regards,
James Tsz Ko Yeung

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists