índice

OneDrive and Teams – Dll Hijacking

DLL hijacking is an attack that exploits the Windows search and load algorithm, allowing an attacker to inject code into an application through disk manipulation. In other words, simply putting a DLL file in the right place causes a vulnerable application to load that malicious DLL

Vulnerable Applications:

https://www.microsoft.com/en-us/microsoft-teams/log-in

https://www.microsoft.com/en-us/microsoft-365/onedrive/online-cloud-storage

Vulnerable version:

Microsoft Teams 1.4.00.11161 (64 bits) AND Update.exe v1.10.63.0

OneDrive 21.073.0411.0001

Steps to reproduce:

1 – Put a malicious DLL on Vulnerable DLL place
2 – Open Advanced IP Scanner, and run it on portable mode
3 – The malicious dll is going to be executed

MICROSOFT TEAMS

These are some of the dll tested and working:
ncrypt.dll
CRYPTBASE.DLL
CRYPTSP.dll
crypt32.dll
MSASN1.dll
wintrust.dll

Please, consider that I know that folder permissions does not allow an unprivileged user
to acces the path, but it is clear that Update(from Teams) is missing some controls over
these dll files since some of them are blocked from being loaded and executed.
E.g.
1 – Using «C:\Users<USERNAME>\AppData\Local\Microsoft\Teams\ncrypt.dll» -> dll loaded and execution
2 – Using «C:\Users<USERNAME>\AppData\Local\Microsoft\Teams\winnlsres.dll» -> the content of the dll is not executed
3 – Using «C:\Users<USERNAME>\AppData\Local\Microsoft\Teams\MSVCP140_CLR0400.dll» -> will lead to an error and Teams is not going to be opened

Teams: VULN-048012

ONEDRIVE

These are some of the dll tested and working:
SspiCli.dll
iertutil.dll
ncrypt.dll
CRYPTBASE.DLL
CRYPTSP.dll
profapi.dll
OneDriveTelemetryExperimental.dll
FileSyncTelemetryExtensions.dll

It was discovered that OneDrive insecurly load some dll files, regardless they are legit or not.
By putting a crafted DLL file in the folder «C:\Users\AppData\Local\Microsoft\OneDrive\», will lead to OneDrive loading and executing the dll.

OneDrive: VULN-047956

Etiquetas: Sin etiquetas

Add a Comment

Your email address will not be published. Required fields are marked *

Website Protected by Spam Master