I've discovered the Dll Hijacking vulnerabilities of Steam Client Service. It loads (at least) version.dll from its application directory which is C:\Program Files (x86)\Steam .
Affect *.exe ,
steam.exe
steamerrorreporter64.exe
WriteMiniDump.exe
dota2.exe
steamservice.exe ( privilege escalation )
and some of other exe which have been installed by steam client.
steam.exe
steamerrorreporter64.exe
WriteMiniDump.exe
dota2.exe
steamservice.exe ( privilege escalation )
and some of other exe which have been installed by steam client.
Affect dll ,
VERSION.dll
and other dll .
VERSION.dll
and other dll .
Note: steamservice.exe can get privilege escalation access if the user is UAC disable .
Impact :
This occurs when an application fails to resolve a DLL because the DLL does not exist in the specified path or search directories. If this happens, a malicious Dll with the same name can be placed in the specified path directory leading to remote code execution. Let’s assume that the real dll contains a function called somefunc . The attacker could have written a function with the same name, but made it do something quite different such as deleting a file or modifying registry settings. The dll will run with the same privileges as the user running the application. If the user is logged on with administrative user rights, the attacker could take complete control of the system.
POC:
POC:
No comments:
Post a Comment