VMware ThinApp DLL Hijacking

Credit: houjingyi
Risk: High
Local: Yes
Remote: No
CWE: CWE-269

CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

A few months ago I disclosed IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day) I found: https://seclists.org/fulldisclosure/2021/Feb/73 In that post I mentioned the vulnerability did not get fully patched. After I told IBM on hackerone that I disclosed it, hackerone asked me to delete the post, IBM apologized and fully patched the vulnerability. But this is not the point today. I found a similar problem in VMware-ThinApp-Enterprise-5.2.9-17340778.exe. After install the software create C:\DummyTLS and rename a dll you want to load to dummyTLS.dll and put it to C:\DummyTLS\dummyTLS.dll. Run "C:\Program Files (x86)\VMware\VMware ThinApp\Setup Capture.exe" and C:\DummyTLS\dummyTLS.dll will be loaded. (other exe like log_monitor.exe/snapshot.exe vulnerable too). This is also because they use code like: LoadLibraryExW(L"\\DummyTLS\\dummyTLS.dll", 0, 0); In short, Windows will treat relative path in LoadLibrary(and many other functions) as the path rooted relative to the current disk designator. Let us look into code in ntdll.dll. The logic here is: KernelBase!LoadLibraryExW->ntdll!LdrpLoadDll->ntdll!LdrpPreprocessDllName. In LdrpPreprocessDllName after calling RtlDetermineDosPathNameType_Ustr it will return 4(RtlPathTypeRooted). And after calling LdrpGetFullPath we get "C:\DummyTLS\dummyTLS.dll"! You should not call LoadLibrary with the relative path. In fact, using relative path is dangerous in many cases. This was fixed in 2021-07-13 as CVE-2021-22000 and the advisory is here : https://www.vmware.com/security/advisories/VMSA-2021-0015.html. For these vulnerabilities I will post a summary at https://houjingyi233.com.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top