exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe Flash Player DLL Hijacking

Adobe Flash Player DLL Hijacking
Posted Jun 17, 2016
Authored by Stefan Kanthak

Adobe Flash Player versions prior to 22.0.0.192 and 18.0.0.360 suffer from a DLL hijacking vulnerability.

tags | exploit
systems | windows
advisories | CVE-2016-1014
SHA-256 | f6c1e0db1cf0414a2c4e623656746bf18311c21d232ce0247945fb82f69047ed

Adobe Flash Player DLL Hijacking

Change Mirror Download
Hi @ll,

the executable (un)installers for Flash Player before version
22.0.0.192 and 18.0.0.360 (both released on 2016-06-15) are
vulnerable to DLL hijacking: they load and execute multiple
Windows system DLLs from their "application directory" instead
of Windows' "system directory" %SystemRoot%\System32\.

On Windows 7 and before they also (try to) load PCACli.dll and
API-MS-Win-Downlevel-Shell32-l1-1-0.dll from the PATH:
PCACli.Dll and API-MS-Win-Downlevel-Shell32-l1-1-0.dll are not
present there, these DLLs were first shipped with Windows 8.

On Windows XP and before they additionally try to load DWMAPI.dll,
PropSys.dll, DevRtl.dll and RPCRTRemote.dll from the PATH: these
DLLs were first shipped with Windows Vista.


See <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html> and
<https://capec.mitre.org/data/definitions/471.html> for details
about this well-known and well-documented beginner's error!


Due to the application manifest embedded in the executables which
specifies "requireAdministrator" the installers are run with
administrative privileges ("protected" administrators are prompted
for consent, unprivileged standard users are prompted for an
administrator password); execution of the DLLs therefore results
in an escalation of privilege!


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit (and read) <http://home.arcor.de/skanthak/sentinel.html>,
then download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
and save it as PCACli.dll, API-MS-Win-Downlevel-Shell32-l1-1-0.dll,
DWMAPI.dll, RPCRTRemote.dll, OLEAcc.dll, PSAPI.dll, SetupAPI.dll,
ClbCatQ.dll, WSock32.dll, WS2_32.dll, HNetCfg.dll, DNSAPI.dll,
IPHlpAPI.dll, RASAPI32.dll, SensAPI.dll, RASAdHlp.dll, RASMan.dll
plus UserEnv.dll, COMRes.dll, WS2Help.dll, TAPI32.dll, RTUtils.dll
SAMLib.dll and WinMM.dll in your "Downloads" directory;

2. fetch the (un)installers for Flash Player released before 2016-06-15
from Adobe's web site and save them in your "Downloads" directory;

3. run the (un)installers downloaded in step 2 and notice the message
boxes displayed from the DLLs placed in step 1.

PWNED!


JFTR: since the (un)installers are 32-bit programs and (un)install
both the 32-bit and 64-bit versions of Flash Player this POC
works on 64-bit Windows too.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-03-12 first vulnerability report sent to Adobe

2016-03-13 Adobe acknowledged the receipt

2016-04-06 Adobe informed about the upcoming patch to be released
2016-04-07 and the assignment of CVE-2016-1014

2016-04-17 second vulnerability report sent to Adobe: the "fixed"
(un)installers are still vulnerable, they just load
some other DLLs now

2016-04-20 Adobe confirmed the second report and announced to fix
the vulnerability in the June update

2016-06-15 Adobe released fixed (un)installers

2016-06-17 report published
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    21 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close