Disclosure of DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

["YEUNG, Tsz Ko" <tkoyeung () connect hku hk>]

Hi all,

I would like to disclose
the DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Details as below:

Vulnerable Software and Version:

   1. Technitium Installer v4.4

Vulnerable software download link:
https://technitium.com/tmac/

Date discovered and reported:
25 Feb 2022

Description:
Technitium Installer v4.4 is suffering from DLL Hijacking by placing x86
SXS.dll in the same directory as the installer , which could cause arbitrary
code execution and privilege escalation since the installer requires admin
right to run by design.

The installer is actually looking for below DLLs in the same directory as
the insatller but then only SXS.dll is tested and hijacked successfully

   1. SXS.dll
   2. MSVBVM60.dll
   3. VCRUNTIME140.dll

Attack vector:
Taking SXS.dll as an example, placing the malcious crafted dll in the same
directory as the installer and whenever a user click the installer, arbitrary
code execution and privilege escalation could be achieved.

PoC code of dll can be found in my repository

Attack steps:

   1.

   Craft and drop a malicious DLL named as "SXS.dll" with entry point
   DllMain [image: image]
   <https://user-images.githubusercontent.com/21979646/155653240-ef58e64b-802e-4268-a9a6-cc8e74c576c0.png>
   2.

   Double click the executable, administrator privilege is required to run
   3.

   Malicious DLL has been called and an admin shell can be obtained as
PoC [image:
   image]
   <https://user-images.githubusercontent.com/21979646/155653291-16145a65-ccdc-4461-a328-f6dc277e4d54.png>

Reference link of the report in github:
https://github.com/ScriptIdiot/DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4

Thanks and regards,
James Tsz Ko Yeung

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/