Advertisement






Windows 7 x86 dwmapi.dll arbitrary code execution leading to privillege escallation

CVE Category Price Severity
N/A CWE-119 $5000 Critical
Author Risk Exploitation Type Date
Unknown High Local 2018-01-03
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018010021

Below is a copy:

Windows 7 x86 dwmapi.dll arbitrary code execution leading to privillege escallation
Vendor : Microsoft Corporation 
Affected Product : Windows 7 x86 and hopefully Vista too 
Author : Souhardya Sardar and Rohit Bankoti
Contact : https://www.linkedin.com/in/souhardya-sardar-82b57b140 / https://in.linkedin.com/in/rohitbankoti
Email : [email protected]

Tested on : Windows 7 Ultimate x86  6.1.7601 Service Pack 1 Build 7601

Overview : 

dwmapi.dll which is a part of Desktop Window Manager (DWM, previously Desktop Compositing Engine or DCE) is the window manager in Windows Vista, Windows 7, Windows 8 and Windows 10 .. is located in system32 

Almost all executable installers (and self-extractors as well
as "portable" applications too) for Windows have a well-known
(trivial, trivial to detect and trivial to exploit) vulnerability:
they load system DLLs from their "application directory" (or a
temporary directory they extract their payload to) instead of
"%SystemRoot%\System32\" hence dwmapi.dll is supposed to be called from system32 directory only 

But the case here is opposite if a attacker places a dll with the name of dwmapi.dll in the same directory of say software abc.exe .... when abc.exe is executed the malicious dll is also executed with it 


If an attacker places malicious DLL in the user's "Downloads" directory
(for example per "drive-by download" or "social engineering") this
vulnerability becomes a remote code execution.


Proof of concept :- 

1. Create a malicious 'dwmapi.dll' file and save it in your "Downloads"
directory.

2. Download say a vulnerable software say abc.exe from abc.com 

3. Execute abc.exe from your " Downloads " directory 

4. The malicious dll 'dwmapi.dll' file gets executed instead of the original dwmapi.dll which is located in  "%SystemRoot%\System32\dwmapi.dll"

To make things worse: executable installers (and all DLLs they load)
are typically run with administrative privileges, either due to
their application manifest (specifying "requireAdministrator") or
the "installer detection" of Windows' "user account control" (see
<https://technet.microsoft.com/en-us/library/dd835540.aspx#BKMK_InstDet>):
"protected" administrators are prompted for consent, unprivileged
standard users are prompted for an administrator password. 

References of our discovery :- 

https://cxsecurity.com/issue/WLB-2018010011
https://cxsecurity.com/issue/WLB-2018010008
https://cxsecurity.com/issue/WLB-2018010010
https://cxsecurity.com/issue/WLB-2018010009 





Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.