VCL-ActiveDirectory4Delphi contain DLL hijacking vulnerability #5
Labels
enhancement
New feature or request
Comments
|
File used to exploit it |
|
@mh4x0f Thank you very much for your contribution. |
|
@jmgway, I haven't been able to do it yet. But the project is open to contributions, so if you'd like to do it, we'd be happy to review and accept your PR. |
|
HelloThanks for answering !Ok fine !Did you test it with FMX ?Jmichel Envoyé de mon iPhoneLe 8 oct. 2024 à 20:59, Zava ***@***.***> a écrit :
@jmgway, I haven't been able to do it yet. But the project is open to contributions, so if you'd like to do it, we'd be happy to review and accept your PR.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@jmgway |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Impact
High! VCL-ActiveDirectory4Delphi (current version) was discovered to contain a DLL hijacking vulnerability that allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
Vulnerability
The file
ActiveDirectory.Winapi.DllMapper.pashas two reference to import external DLL from the Windows OSactiveds.dllandadsldpc.dllHere is the current
ActiveDirectory.Winapi.DllMapper.pascode:ref: https://github.com/EdZava/VCL-ActiveDirectory4Delphi/blob/master/src/Winapi/ActiveDirectory.Winapi.DllMapper.pas#L93
Using the
Process Monitor (procmon)it possible to see the external import of the binary TestActiveDirectory.exe on runtime execution.highlighted in red, we can see that be default, if you do not set the path complete of variable, the DLL will be stored in the local directory of the executable, which in my case is
C:\Users\mh4x0f\Desktop\activeds.dlland the result isNAME NOT FOUNDbecasue the file .dll" cannot be faulted into the current directory.The vulnerability occurs because the VCL-ActiveDirectory4Delphi not set the complete path into code for import only from
System32/x.dllPOC
The exploration can be simple in this demo I will show only exploit the
activeds.dllbut with same modification is possible to apply foradsldpc.dll.I checked the source of this project the functions you are using that come from the
activeds.dlland i found.But the attacker can find this using some PE file explorer, i used the die.exe (detect it easy) checkout.
After that, I wrote a code .dll and proxy the functions that binary needed to work fine.
Then, i rename the project.dll to
activeds.dlland moved it to the same path of executableTestActiveDirectory.exeAfter that, it was only necessary to execute the binary
TestActiveDirectory.exethat will see the calc.exe execution the same time.Recommendation
The recommendation is to pass the complete path on System32, the change will force the search file activeds.dll to be in the system directory
C:\Windows\System32\activeds.dllthe same modification can be added foradsldpc.dllThe text was updated successfully, but these errors were encountered: