Affected Product: Gom Player 2.3 Installer for Windows PC
Credit: Souhardya Sardar and Rohit Bankoti
Contact : facebook.com/SouhardyaSardar.py
*Summary:*
Gom Player Installer contains a dll hijack vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system and gain elevated privileges. The vulnerability exists due to some
DLL file is loaded by 'GOMPLAYERGLOBALSETUP.exe' improperly. And it allows an
attacker to load this DLL file of the attacker as choosing that could
execute arbitrary code without the user's knowledge.
*Tested on*: Windows 7 Ultimate 6.1.7601 Service Pack 1 Build 7601
*Impact:*
Attacker can exploit this vulnerability to load a DLL file of the
attacker's choosing that could execute arbitrary code. This may help
attacker to successfully exploit the system if user creates shell as a DLL.
If an attacker places malicious DLL in the user's "Downloads" directory
this vulnerability becomes a arbitrary code execution.
*Proof of concept/demonstration*:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Create a malicious 'Cabinet.dll' file and save it in your "Downloads"
directory.
2. Download 'GOMPLAYERGLOBALSETUP.exe' and save it in your "Downloads" directory.
3. Execute .exe from your "Downloads" directory.
4. Malicious dll file gets executed.
Almost all executable installers (and self-extractors as well
as "portable" applications too) for Windows have a well-known
(trivial, trivial to detect and trivial to exploit) vulnerability:
they load system DLLs from their "application directory" (or a
temporary directory they extract their payload to) instead of
"%SystemRoot%\System32\".
| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library location
~~~~~~
| is constant.
| * Load as data file when required.
| * Make use of code signing infrastructure or AppLocker.