Vulnerability Description: CWE-427: Uncontrolled Search Path Element
Software Version: 4.8
NIST:
CVSS:
Severity:
Credits: Cristian Castrechini, Eduardo Maragno, Massimiliano Brolli
DLL Hijacking can lead to arbitrary code execution with the privileges of the vulnerable application.
Prerequisites: The attacker must have write permissions to the directory where the malicious DLL is placed at load time.
Step-by-step instructions and PoC
This technique leverages DLL search order hijacking by placing a malicious DLL in a user-writable directory that is loaded by the vulnerable software TreeSizeFree.exe
Affected Endpoints
• Vulnerable DLL: version.dll
The DLL source code has been sent along with this report by e-mail.
Below is the evidence with the vulnerability details and the payloads used.
This first step consists of using Process Monitor from SysInternals suite with some filters to inspect which DLLs the application attempts to load:
Image 1
Once the software is executed, it attempts to load version.dll from its installation directory, the DLL does not exist in the specified path and the load fails:
Image 2
We build a malicious version.dll that contains the payload we want to execute at startup, we place it in the folder where the program is installed.
Image 3
Relaunching the application gives different results because our payload is executed.
Image 4
Security Impact
Execution of arbitrary code with the privileges of the compromised application, enabling data exfiltration, persistence and potential lateral movement.