DLL hijacking

28 Jun 2017

[ICS] Schneider Electric Pro-Face WinGP – Insecure Library Loading Allows Code Execution

[ICS] Schneider Electric Pro-Face WinGP - Runtime.exe – Insecure Library Loading Allows Code Execution Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)
AFFECTED PRODUCTS
Schneider Electric Pro-Face WinGP - Packaged version with GP Pro Server EX -> current version
IMPACT
Successful exploitation of this vulnerability could allow an authenticated user to escalate his or her privileges. Read on for details.

Read more

15 Jun 2017

Microsoft Office Patch Installers – Insecure Library loading allow code execution

Microsoft Office Patch Installer Executables – Insecure Library Loading Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading Abstract Microsoft Office Patch installer executables are found to be vulnerable to DLL side loading / hijacking issue. This issue was observed when installing a patch for Microsoft Excel 2013 SP1. Patch installer for Microsoft Word was also tested and confirmed to exhibit the same behavior. Other patch installers may also be vulnerable. In this writeup, I will document about MS Excel 2013 patch update KB3127968. Read on for details.

Read more

15 Jun 2017

Microsoft Machine Debug Manager (mdm) – Insecure Library Loading Allows Code Execution

Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability ABOUT The Machine Debug Manager, mdm.exe, is a program that provides support for program debugging. During the testing, it was found that MDM is affected with DLL hijacking vulnerability. The following conditions are required to exploit MDM DLL hijacking vulnerability:
  1. MDM (mdm.exe) is installed
  2. Disable script debugging (Other) option is not selected (IE -> Internet Options -> Advanced)
Exploitation could be performed via multiple Windows applications. A few scenarios are documented here. Read on for details.

Read more

18 May 2017

[ICS] BLF-Tech LLC VisualView HMI Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-01

BLF-Tech LLC VisualView HMI Insecure Library Loading Allows Code Execution

Vendor: BLF-Tech LLC
Equipment: VisualView HMI Software
Vulnerability: Uncontrolled Search Path Element

Read on for details.

Read more

18 May 2017

[ICS] Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01

Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Interactive Graphical SCADA System Software [IGSS]
Vulnerability: Uncontrolled Search Path Element

Read on for details.

Read more

16 May 2017

Rapid7 AppSpider vulnerabilities

Recently, I checked out Rapid7's AppSpider Web Application Testing software. It is a Windows based application, and the demo version is available for anyone to play with.

I found 2 vulnerabilities in AppSpider - DLL Pre-loading & Buffer overflow - which I then reported privately to R7 team. The folks at Rapid7 confirmed my reports and released the CVE-ID# & fixed versions shortly after.

Here's the writeup from Rapid7 Release Announcement:

  1. Updated nginx.exe to utilize Microsoft Security Advisory on remote code execution. Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008: KB2533623 must be installed on the target platform. Resolves - CVE-2017-5236
  2. Resolved buffer over flow crash in the AppSpider command line tool for inputs. Resolves - CVE-2017-5240

Read on for more details.

Read more

25 Mar 2017

[ICS] Sielco Sistemi Winlog SCADA Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-038-01

Sielco Sistemi Winlog SCADA Software Insecure Library Loading Allows Code Execution
Vendor: Sielco Sistemi
Equipment: Winlog SCADA Software
Vulnerability: Uncontrolled Search Path Element

CVE-ID
CVE-2017-5161

Read on for details and poc.

Read more

28 Feb 2017

PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution

Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution (DLL Hijacking Vulnerability)


Confirmed on products
pgAdmin4 v1.1: Current version packaged with PostgreSQL v9.6.1.1 (Windows x86 Current version)

Tested on
Windows 7 SP1 + python 2.7.13 (current version)

Note - This is a vulnerability in python, which gets manifested via pgAdmin4. Other applications and softwares that use python, may as well be vulnerable.

This vulnerability can allow attackers to execute arbitrary code on vulnerable installations of pgAdmin4 software. pgAdmin4 is a GUI application for database server administration, and comes packaged with PostgreSQL package. User interaction is required to exploit this vulnerability in that the malicious dll file(s) should be saved in any of the DLL search paths.

Confirmed on products
pgAdmin4 v1.1 -> Current version packaged with PostgreSQL v9.6.1.1 (Windows x86 Current version)

Read on for details and poc.

Read more