DLL hijacking in TOTOLINK A600UB Driver Installer
Introduction
In this article, we will explore a DLL Hijacking vulnerability detected in a driver installer for Realtek, used by the device company TOTOLINK in one of its USB modems. We will analyze how this vulnerability works and its implications in terms of security. Through this analysis, we aim to provide a deep understanding of this threat and promote more robust development and security practices to prevent future incidents.
What is DLL Hijacking?
DLL Hijacking is an attack technique that exploits the way Windows loads dynamic link libraries (DLLs). When an application requires a DLL, Windows follows a search order to locate it. An attacker can place a malicious DLL in a preferred location within this order, causing it to load instead of the legitimate DLL. This allows the attacker to execute malicious code with the same privileges as the application, potentially compromising the system and performing unauthorized actions.
Technical Details
- Installer Executable
- Operating System: Windows 10/8.1/8/7/XP
- Download Binarie: https://totolink.com.my/products/a600ub/
Exploitation Process
Upon downloading and executing the binary, it presents two installation options: the first allows the installation of the Wi-Fi driver, while the second option is for installing the Bluetooth driver. Both drivers are installed and are ultimately stored on the disk.
After completing the installation and configuration process, the corresponding files are saved on the hard drive, specifically in the path C:\Program Files\TOTOLINK\WiFiAutoInstall.
When executing the corresponding binary, it can be observed, through the use of the Procmon tool, that the binary makes calls to several DLLs. However, these DLLs are not present on the system or in the current path of the binary, allowing the end user to add a custom DLL to execute a specific action.
It can be observed that lpVerb is set to "runas," which indicates that the program will run with administrator privileges, activating User Account Control (UAC). This will then execute WifiAutoInstallDriver.exe, which is set in lpFile.
Here is a basic code to create a test DLL that executes cmd.exe when loaded.
Exploitation Chain Flow
With the identification of the missing DLL and the creation of a custom DLL, the attacker could place this DLL in a directory from which the trusted binary can load it. The attacker could then wait for an administrator to execute the legitimate binary or use social engineering techniques to convince a user with appropriate permissions to run the binary. This would cause the binary to load the malicious DLL, allowing the attacker to elevate their privileges on the system.
Video PoC
Conclusion
The analysis of the DLL Hijacking vulnerability in the TOTOLINK A600UB driver installer reveals a critical security gap that can be easily exploited to compromise systems. By detecting and taking advantage of the absence of certain DLLs during the installation process, an attacker has the opportunity to inject malicious code, achieving privilege escalation that grants control over the affected system. This type of vulnerability underscores the urgent need to adopt more secure development practices, such as thorough validation of loaded files and careful management of DLL search paths.
Bye, see you soon…
DLL hijacking in TOTOLINK A600UB Driver Installer was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
目录
最新
- Docker/Kubernetes (K8s)Penetration Testing Checklist
- TryHackme’s Advent of Cyber 2024 — Day 03 Writeup
- Tricky & Simple EXIF protection Bypass
- Critical Bug: Deny Sign-In & Steal Sensitive Info on Behalf of Victims
- All UPI IDs in India have Predictable Patterns that allow the disclosure of mail IDs
- How to Threat Model: A Guide to Effectively Mapping your Attack Surface
- Web Cache Poisoning: WWWWWH?
- TryHackme’s Advent of Cyber 2024 — Day 02 Writeup