Full Disclosure mailing list archives
Disclosure of DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4
From: "YEUNG, Tsz Ko" <tkoyeung () connect hku hk>
Date: Fri, 25 Feb 2022 12:28:50 +0800
Hi all, I would like to disclose the DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4 Details as below: Vulnerable Software and Version: 1. Technitium Installer v4.4 Vulnerable software download link: https://technitium.com/tmac/ Date discovered and reported: 25 Feb 2022 Description: Technitium Installer v4.4 is suffering from DLL Hijacking by placing x86 SXS.dll in the same directory as the installer , which could cause arbitrary code execution and privilege escalation since the installer requires admin right to run by design. The installer is actually looking for below DLLs in the same directory as the insatller but then only SXS.dll is tested and hijacked successfully 1. SXS.dll 2. MSVBVM60.dll 3. VCRUNTIME140.dll Attack vector: Taking SXS.dll as an example, placing the malcious crafted dll in the same directory as the installer and whenever a user click the installer, arbitrary code execution and privilege escalation could be achieved. PoC code of dll can be found in my repository Attack steps: 1. Craft and drop a malicious DLL named as "SXS.dll" with entry point DllMain [image: image] <https://user-images.githubusercontent.com/21979646/155653240-ef58e64b-802e-4268-a9a6-cc8e74c576c0.png> 2. Double click the executable, administrator privilege is required to run 3. Malicious DLL has been called and an admin shell can be obtained as PoC [image: image] <https://user-images.githubusercontent.com/21979646/155653291-16145a65-ccdc-4461-a328-f6dc277e4d54.png> Reference link of the report in github: https://github.com/ScriptIdiot/DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4 Thanks and regards, James Tsz Ko Yeung _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Disclosure of DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4 YEUNG, Tsz Ko (Feb 24)