1
Bug reports / Unsafe DLL loading vulnerable in version 2.3k
« on: July 29, 2017, 08:30:13 PM »
The HSF Server application passes an insufficiently qualified path in loading an external library when a user launch the application.
Affected Library List
---------------------
# dwmapi.dll
# WindowsCodecs.dll
# apphelp.dll
# RICHED32.dll
# wsock32.dll
# DNSAPI.dll
# IPHLPAPI.dll
# rasadh1p.dll
Please find the following for demo. I rename the malicious dll file (which is execute calculator) as apphelp.dll in this demo.
https://www.youtube.com/watch?v=VGjRA-P0opM
Thanks
Ye
REFERENCES
https://support.microsoft.com/en-us/help/2389418/secure-loading-of-libraries-to-prevent-dll-preloading-attacks
https://cwe.mitre.org/data/definitions/427.html
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
Affected Library List
---------------------
# dwmapi.dll
# WindowsCodecs.dll
# apphelp.dll
# RICHED32.dll
# wsock32.dll
# DNSAPI.dll
# IPHLPAPI.dll
# rasadh1p.dll
Please find the following for demo. I rename the malicious dll file (which is execute calculator) as apphelp.dll in this demo.
https://www.youtube.com/watch?v=VGjRA-P0opM
Thanks
Ye
REFERENCES
https://support.microsoft.com/en-us/help/2389418/secure-loading-of-libraries-to-prevent-dll-preloading-attacks
https://cwe.mitre.org/data/definitions/427.html
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx