Advertisement






VMware ThinApp DLL Hijacking

CVE Category Price Severity
CVE-2021-22000 CWE-426 $5,000 High
Author Risk Exploitation Type Date
Cem Onat Karagun High Local 2021-07-16
CPE
cpe:cpe:/a:vmware:thinapp
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021070097

Below is a copy:

VMware ThinApp DLL Hijacking
A few months ago I disclosed IBM(R) Db2(R) Windows client DLL
Hijacking Vulnerability(0day) I found:


https://seclists.org/fulldisclosure/2021/Feb/73

In that post I mentioned the vulnerability did not get fully patched.

After I told IBM on hackerone that I disclosed it, hackerone asked me
to delete the post, IBM apologized and fully patched the
vulnerability.


But this is not the point today. I found a similar problem in
VMware-ThinApp-Enterprise-5.2.9-17340778.exe.

After install the software create C:\DummyTLS and rename a dll you
want to load to dummyTLS.dll and put it to C:\DummyTLS\dummyTLS.dll.

Run "C:\Program Files (x86)\VMware\VMware ThinApp\Setup Capture.exe"
and C:\DummyTLS\dummyTLS.dll will be loaded.
(other exe like log_monitor.exe/snapshot.exe vulnerable too).


This is also because they use code like:


LoadLibraryExW(L"\\DummyTLS\\dummyTLS.dll", 0, 0);

In short, Windows will treat relative path in LoadLibrary(and many
other functions) as the path rooted relative to the current disk
designator.

Let us look into code in ntdll.dll. The logic here is:
KernelBase!LoadLibraryExW->ntdll!LdrpLoadDll->ntdll!LdrpPreprocessDllName.
In LdrpPreprocessDllName after calling
RtlDetermineDosPathNameType_Ustr it will return 4(RtlPathTypeRooted).

And after calling LdrpGetFullPath we get "C:\DummyTLS\dummyTLS.dll"!

You should not call LoadLibrary with the relative path. In fact, using
relative path is dangerous in many cases.


This was fixed in 2021-07-13 as CVE-2021-22000 and the advisory is
here : https://www.vmware.com/security/advisories/VMSA-2021-0015.html.


For these vulnerabilities I will post a summary at https://houjingyi233.com.


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.