A vulnerability has been found in ExifTool 8.32 and classified as critical. This vulnerability affects an unknown function in the library ws32_32.dll of the file %TEMP%\par-%username%\cache-exiftool-8.32. The manipulation with an unknown input leads to a uncontrolled search path vulnerability. The CWE definition for the vulnerability is CWE-427. The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\par-%username%\cache-exiftool-8.32 folder with a victim's username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was released starting in 2012, and 10.x was released starting in 2015).

The bug was discovered 12/21/2018. The weakness was disclosed 01/02/2019 as not defined mailinglist post (Full-Disclosure). The advisory is shared for download at seclists.org. This vulnerability was named CVE-2018-20211 since 12/18/2018. The attack needs to be approached locally. The successful exploitation requires a single authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1574.

The vulnerability was handled as a non-public zero-day exploit for at least 12 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Name

• ExifTool

Version

• 8.32

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion