CVE-2017-11742 in expat
Summary
by MITRE
The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/14/2022
The vulnerability identified as CVE-2017-11742 represents a critical privilege escalation flaw in the Expat XML parser library version 2.2.1 and 2.2.2 on Windows systems. This vulnerability stems from improper handling of dynamic library loading within the writeRandomBytes_RtlGenRandom function located in xmlparse.c, creating an exploitable untrusted search path condition that enables local attackers to execute malicious code with elevated privileges. The flaw specifically affects systems where the Expat library is used for XML processing and where the application running with elevated privileges loads the vulnerable library.
The technical root cause of this vulnerability lies in the insecure dynamic library loading mechanism that occurs when the Expat library attempts to generate random bytes for cryptographic purposes. When the writeRandomBytes_RtlGenRandom function executes, it loads the ADVAPI32.DLL library without specifying a full path, relying on the Windows library search order. This search order first checks the current working directory before examining system directories, creating an opportunity for attackers to place a malicious ADVAPI32.DLL file in the same directory as the vulnerable application. This behavior aligns with CWE-426, which describes the insecure use of a command or API that allows an attacker to inject code into a process, and specifically maps to the DLL hijacking attack pattern.
The operational impact of this vulnerability is significant as it allows local attackers to escalate their privileges from standard user level to system level execution. Attackers can exploit this by placing a malicious ADVAPI32.DLL file in the directory where an application using the vulnerable Expat library is executed, particularly when that application runs with elevated privileges. This creates a persistent threat vector where the attacker's malicious DLL is loaded and executed whenever the vulnerable application performs XML parsing operations that trigger the random byte generation function. The attack requires no network connectivity and can be executed locally, making it particularly dangerous in environments where applications run with administrative privileges.
From a cybersecurity perspective, this vulnerability demonstrates the importance of proper DLL loading practices and adherence to the principle of least privilege. The flaw enables attackers to bypass traditional security controls by exploiting the trusted search path behavior of Windows applications. Organizations should implement mitigations including patching to Expat versions 2.2.3 and later, where the vulnerability has been resolved through proper path resolution for dynamic library loading. Additionally, system administrators should employ application whitelisting solutions, monitor for suspicious DLL loading activities, and ensure that applications running with elevated privileges are not executed from directories writable by unprivileged users. The vulnerability also highlights the need for comprehensive security testing of third-party libraries, particularly those handling cryptographic operations, and aligns with ATT&CK techniques covering privilege escalation through DLL hijacking and malicious file execution.