Created
December 4, 2019 14:39
-
-
Save Eli-Paz/482b514320009f3e76ea712cde3bc350 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Platform: Windows 10 version 1903 | |
Class: Privilege Escalation | |
Product: CatalystProductionSuite.2019.1.exe | |
Version: 1.1.0.21 | |
Product: CatalystBrowseSuite.2019.1.exe | |
Version: 1.1.0.21 | |
Summary: | |
A weak malicious user can escalate its privilege whenever CatalystProductionSuite.2019.1.exe and CatalystBrowseSuite.2019.1.exe installers run. | |
The vulnerability is in the form of DLL Hijacking. | |
The installers try to load DLLs that don’t exist from its current directory; | |
Both installers try to load a dll named “NETUTILS.dll”. by doing so, an attacker can quickly escalate its privileges. | |
Additional missing DLL List: | |
1. MSIMG32.dll | |
2. VERSION.dll | |
3. WINMM.dll | |
4. WININET.dll | |
5. WTSAPI32.dll | |
6. MSVFW32.dll | |
7. WINMMBASE.dll | |
8. winnlsres.dll | |
9. RichEd20.dll | |
10. USP10.dll | |
11. msls31.dll | |
12. imageres.dll | |
13. srpapi.dll | |
14. MsiMsg.dll | |
15. WKSCLI.dll | |
Steps to reproduce: | |
1. Use DLL proxy to OS DLLs. | |
2. Place the malicious dll in the current directory of the installers | |
3. Finally, the installers try to load DLLs from the current directory like NETUTILS.dll for CatalystProductionSuite.2019.1.exe and CatalystBrowseSuite.2019.1.exe and many more dlls that could also be hijacked. | |
Impact: | |
1. Privilege Escalation | |
2. DoS | |
Mitigation: | |
- Don’t load DLLs from the current directory | |
Eli Paz, | |
CyberArk Labs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello Mr Eli-Paz,
I tried to replicate vulnerability on exact same version you have mentioned, i was able to spawn Shell but it is of same privileges as of user executing installer file.
please let me know if i am missing any step