Adobe Flash Player DLL Hijacking

2016.06.18
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hi @ll, the executable (un)installers for Flash Player before version 22.0.0.192 and 18.0.0.360 (both released on 2016-06-15) are vulnerable to DLL hijacking: they load and execute multiple Windows system DLLs from their "application directory" instead of Windows' "system directory" %SystemRoot%\System32\. On Windows 7 and before they also (try to) load PCACli.dll and API-MS-Win-Downlevel-Shell32-l1-1-0.dll from the PATH: PCACli.Dll and API-MS-Win-Downlevel-Shell32-l1-1-0.dll are not present there, these DLLs were first shipped with Windows 8. On Windows XP and before they additionally try to load DWMAPI.dll, PropSys.dll, DevRtl.dll and RPCRTRemote.dll from the PATH: these DLLs were first shipped with Windows Vista. See <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> and <https://capec.mitre.org/data/definitions/471.html> for details about this well-known and well-documented beginner's error! Due to the application manifest embedded in the executables which specifies "requireAdministrator" the installers are run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of the DLLs therefore results in an escalation of privilege! Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit (and read) <http://home.arcor.de/skanthak/sentinel.html>, then download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save it as PCACli.dll, API-MS-Win-Downlevel-Shell32-l1-1-0.dll, DWMAPI.dll, RPCRTRemote.dll, OLEAcc.dll, PSAPI.dll, SetupAPI.dll, ClbCatQ.dll, WSock32.dll, WS2_32.dll, HNetCfg.dll, DNSAPI.dll, IPHlpAPI.dll, RASAPI32.dll, SensAPI.dll, RASAdHlp.dll, RASMan.dll plus UserEnv.dll, COMRes.dll, WS2Help.dll, TAPI32.dll, RTUtils.dll SAMLib.dll and WinMM.dll in your "Downloads" directory; 2. fetch the (un)installers for Flash Player released before 2016-06-15 from Adobe's web site and save them in your "Downloads" directory; 3. run the (un)installers downloaded in step 2 and notice the message boxes displayed from the DLLs placed in step 1. PWNED! JFTR: since the (un)installers are 32-bit programs and (un)install both the 32-bit and 64-bit versions of Flash Player this POC works on 64-bit Windows too. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-03-12 first vulnerability report sent to Adobe 2016-03-13 Adobe acknowledged the receipt 2016-04-06 Adobe informed about the upcoming patch to be released 2016-04-07 and the assignment of CVE-2016-1014 2016-04-17 second vulnerability report sent to Adobe: the "fixed" (un)installers are still vulnerable, they just load some other DLLs now 2016-04-20 Adobe confirmed the second report and announced to fix the vulnerability in the June update 2016-06-15 Adobe released fixed (un)installers 2016-06-17 report published


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top