CVE-2018-18913 in Web Browser
Summary
by MITRE
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location within the system. The issue lies in the loading of the shcore.dll and dcomp.dll files: these files are being searched for by the program in the same system-wide directory where the HTML file is executed.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/01/2020
This vulnerability represents a critical DLL search order hijacking flaw in Opera browsers prior to version 57.0.3098.106, which falls under the CWE-426 software weakness category related to insecure library loading practices. The vulnerability occurs when an attacker crafts a malicious ZIP archive containing both an HTML page and a specially crafted DLL file, typically shcore.dll or dcomp.dll. When a user opens this malicious document, the browser's execution context loads these system libraries from the same directory as the HTML file rather than from the system's secure library search path. This behavior creates an exploitable condition where malicious code can be executed with the privileges of the victim user, potentially leading to complete system compromise from any location within the system.
The technical implementation of this attack leverages the Windows DLL search order mechanism, which follows a specific sequence when resolving library dependencies. When Opera attempts to load shcore.dll or dcomp.dll, it first searches in the current working directory of the executing HTML file before checking system directories. This search order preference creates a window of opportunity for attackers to place malicious DLLs in the same directory as the HTML content, causing the browser to inadvertently execute attacker-controlled code. The vulnerability is particularly dangerous because it can be triggered through various user interactions, including opening seemingly benign web pages or documents, making it a potent attack vector for social engineering campaigns.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it can enable attackers to perform a wide range of malicious activities including credential theft, system reconnaissance, and persistent backdoor installation. According to ATT&CK framework techniques, this vulnerability maps to T1059 for command and scripting interpreter usage and T1068 for exploit for privilege escalation, while also supporting lateral movement through T1078 for valid accounts and T1105 for remote file execution. The attack can be executed from any location within the compromised system, potentially allowing for privilege escalation from standard user accounts to SYSTEM level access, depending on the victim's privileges and system configuration.
Mitigation strategies for this vulnerability should focus on both immediate remediation and long-term security hardening. The primary solution involves updating to Opera version 57.0.3098.106 or later, which addresses the insecure DLL loading behavior through proper library search order implementation. Additionally, system administrators should implement application control measures using tools like AppLocker or Software Restriction Policies to prevent execution of unauthorized DLL files in user directories. Network-level protections including web proxies and content filtering systems can help block malicious ZIP archives containing suspicious file combinations. Security awareness training for end users remains crucial to prevent accidental execution of malicious documents, while regular security audits should verify that no malicious DLLs have been placed in system directories or user working directories. The vulnerability also highlights the importance of following secure coding practices such as those outlined in the OWASP Secure Coding Guidelines, particularly regarding library loading and dynamic code execution.