Headline
CVE-2022-26200: GitHub - ScriptIdiot/DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4
Technitium Installer v4.4 was discovered to allow attackers to execute arbitrary code or escalate privileges via placing a crafted DLL in the same directory as the current installer.
DLL-Hijacking-Vulnerability-in-Technitium-Installer-v4.4
Vulnerable Software and Version:
- Technitium Installer v4.4
Vulnerable software download link:
https://technitium.com/tmac/
Date discovered and reported:
25 Feb 2022
Description:
Technitium Installer v4.4 is suffering from CWD DLL Hijacking by placing x86 SXS.dll in the same directory as the installer , which could cause arbitrary code execution and privilege escalation since the installer requires admin right to run by design.
The installer is actually looking for below DLLs in the current directory as the installer but then only SXS.dll is tested and hijacked successfully
- SXS.dll
- MSVBVM60.dll
- VCRUNTIME140.dll
Attack vector:
Taking SXS.dll as an example, placing the malicious crafted dll in the current directory as the installer and whenever a user click the installer, arbitrary code execution and privilege escalation could be achieved.
PoC code of dll can be found in my repository
Attack steps:
Craft and drop a malicious DLL named as “SXS.dll” with entry point DllMain
Double click the executable, administrator privilege is required to run
Malicious DLL has been called and an admin shell can be obtained as PoC
