Tuesday, September 10, 2019

Dll Search Order Hijacking in Wordpress desktop app

Summary

Product Name: Wordpress Desktop Application ( 4.3.0.44794 )

ImpactHigh.  This occurs when an application fails to resolve a DLL because the DLL does not exist in the specified path or search directories. If this happens, a malicious Dll with the same name can be placed in the specified path directory leading to remote code execution.
Vulnerability Type: DLL Preloading
DLL: igdgmm64.dll
Affected process: WordPress.com.exe 
Attack Vector: local

Description

When a user launch the wordpress desktop application, the wordpress.com.exe process is tries to load the igdgmm64.dll from different locations.

PoC


wordpress.com.exe load the igdgmm64.dll which does not exist from different folder.



drop malicious dll to writeable folder ( C:\python27 ) 
then launch the application,  malicious dll will be loaded by that process.




References:
https://attack.mitre.org/techniques/T1038/
http://www.bluekaizen.org/dll-hijacking-2/
https://pentestlab.blog/2017/03/27/dll-hijacking/
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works/




Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's  CVE-2020-16938  , I've some idea to do without using 7 zip file ma...