By Oliver Sartori, Information Security Researcher at Real Protect
Weekends are reserved days to deepen in some know topic and fill the gaps. This weekend was the time of DLL Hijacking.
After watching some videos and reading some articles I was ready to start the hunt. With all the hype, I started to “debug” some installers and, not for my surprise, I could not found nothing at all. Why wasn’t I surprised? Well, this kind of issue is old, relatively easy to fix and, as explained by the guys of Apache Friends, they really cared about it in the installer, so finding nothing was expected.
After spending some time looking in installers I moved to any application installed in my C root driver. Why applications installed in the C:\, you may ask! Well, any application installed directly in the C:\ is writable by non-admin users (as far as I tested and except by guest).
It’s quite common to use DLL hijack as a privilege escalation technique. Fulfilling some requirements it’s possible to compromise a normal user account, deploy a DLL in such a vulnerable application and wait until admin execute it. If everything worked right you can have a reverse shell as admin in the end of the day!
Getting back to the research, the first (and last) application I tested was XAMPP. XAMPP is a open source package for Windows, Linux or OSX to easily install Apache, MariaDB, PHP, and Perl. The issue came in the XAMPP control panel, where there is a lot (A LOT) of missing DLLs, as we can see in the image below:
To verify the issue I used a simple DLL code to plot a messagebox in the screen. Some of the DLLs didn’t plot, but others did!
A little video explain the thing:
The problem was reported to the Apache Friends security team, but, as explained by them, the XAMPP control panel is an application submitted by a XAMPP user, so they don’t have full control about it and due to low probability of this vulnerability being exploited, they will keep the current control panel.
AAAAAAND that’s all folks 🙂