Summary
Product Name: Wordpress Desktop Application ( 4.3.0.44794 )
Impact: High. This occurs when an application fails to resolve a DLL because the DLL does not exist in the specified path or search directories. If this happens, a malicious Dll with the same name can be placed in the specified path directory leading to remote code execution.
Vulnerability Type: DLL Preloading
DLL: igdgmm64.dll
Affected process: WordPress.com.exe
Attack Vector: local
Description
When a user launch the wordpress desktop application, the wordpress.com.exe process is tries to load the igdgmm64.dll from different locations.
PoC
wordpress.com.exe load the igdgmm64.dll which does not exist from different folder.
drop malicious dll to writeable folder ( C:\python27 )
then launch the application, malicious dll will be loaded by that process.
References:
https://attack.mitre.org/techniques/T1038/
http://www.bluekaizen.org/dll-hijacking-2/
https://pentestlab.blog/2017/03/27/dll-hijacking/
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works/