Friday, August 9, 2019

Telerik Fiddler Application Privilege Escalation via Dll Hijacking


Fiddler application default installation path have write access by user.


And EnableLoopback feature is load dll files that doesn't exist . So , create malicious dll file to that folder and when you launch the WinConfig feature which in fiddler , malicious payload will execute.


Affected Executable file ,
fiddler.exe
EnableLoopback.exe ( privilege escalation )

Affected dll ,
imageres.dll
bcp47mm.dll
shlwapi.dll
fwbase.dll
DNSAPI.dll
FirewallAPI.dll
WindowsCodecs.dll
CRYPTBASE.dll



Poc video :






More detail about Dll Hijacking,
https://attack.mitre.org/techniques/T1038/
https://resources.infosecinstitute.com/mitre-attck-vulnerability-dll-search-order-hijacking/
https://cwe.mitre.org/data/definitions/427.html



No comments:

Post a Comment

Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's  CVE-2020-16938  , I've some idea to do without using 7 zip file ma...