search

EdZava / VCL-ActiveDirectory4Delphi

Delphi basic library for validation and authentication of LDAP users in Active Directory.
MIT License
82 stars 14 forks source link

VCL-ActiveDirectory4Delphi contain DLL hijacking vulnerability #5

Open mh4x0f opened 10 months ago

mh4x0f commented 10 months ago

Impact

High! VCL-ActiveDirectory4Delphi (current version) was discovered to contain a DLL hijacking vulnerability that allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.

Vulnerability

The file ActiveDirectory.Winapi.DllMapper.pas has two reference to import external DLL from the Windows OS activeds.dll and adsldpc.dll

Here is the current ActiveDirectory.Winapi.DllMapper.pas code:

image ref: https://github.com/EdZava/VCL-ActiveDirectory4Delphi/blob/master/src/Winapi/ActiveDirectory.Winapi.DllMapper.pas#L93

Using the Process Monitor (procmon) it possible to see the external import of the binary TestActiveDirectory.exe on runtime execution.

image

highlighted in red, we can see that be default, if you do not set the path complete of variable, the DLL will be stored in the local directory of the executable, which in my case is C:\Users\mh4x0f\Desktop\activeds.dll and the result is NAME NOT FOUND becasue the file .dll" cannot be faulted into the current directory.

The vulnerability occurs because the VCL-ActiveDirectory4Delphi not set the complete path into code for import only from System32/x.dll

POC

The exploration can be simple in this demo I will show only exploit the activeds.dll but with same modification is possible to apply for adsldpc.dll.

I checked the source of this project the functions you are using that come from the activeds.dll and i found. image

But the attacker can find this using some PE file explorer, i used the die.exe (detect it easy) checkout.

image

After that, I wrote a code .dll and proxy the functions that binary needed to work fine.

image

Then, i rename the project.dll to activeds.dll and moved it to the same path of executable TestActiveDirectory.exe

image

After that, it was only necessary to execute the binary TestActiveDirectory.exe that will see the calc.exe execution the same time.

image

Recommendation

The recommendation is to pass the complete path on System32, the change will force the search file activeds.dll to be in the system directory C:\Windows\System32\activeds.dll the same modification can be added for adsldpc.dll

mh4x0f commented 10 months ago

File used to exploit it activeds.dll.zip

EdZava commented 9 months ago

@mh4x0f What an incredible job! 👏 I'll fix it as soon as possible.

Thank you very much for your contribution.