CVE-2020-9367 in Desktop Central MSP
Summary
by MITRE • 03/19/2021
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2021
The vulnerability identified as CVE-2020-9367 affects the Zoho ManageEngine Desktop Central MSP version 10.0.486 and represents a critical DLL hijacking flaw that enables privilege escalation to SYSTEM level access. This vulnerability specifically targets two executables within the MPS Agent component namely dcinventory.exe and dcconfig.exe which exhibit improper dynamic link library loading behavior. The flaw occurs when these executables attempt to load the CSUNSAPI.dll library without providing a complete absolute path specification, creating an exploitable condition where malicious actors can manipulate the DLL loading process.
The technical implementation of this vulnerability stems from the Windows DLL search order mechanism which operates by first checking the directory containing the calling application, followed by system directories, and then the PATH environment variables. When dcinventory.exe and dcconfig.exe fail to specify the complete path to CSUNSAPI.dll, Windows searches through these directories in sequence, allowing an attacker to place a malicious DLL with the same name in a directory that appears earlier in the search order. Since the legitimate CSUNSAPI.dll file is missing from the installation, this creates an opportunity for attackers to substitute their malicious payload in the search path, effectively hijacking the DLL loading process.
This vulnerability directly maps to CWE-426 Untrusted Search Path which is classified under the Common Weakness Enumeration framework and aligns with ATT&CK technique T1068 Exploitation for Privilege Escalation. The operational impact of this flaw is severe as it allows attackers to execute arbitrary code with the highest system privileges available, effectively granting them complete control over the affected system. The privilege escalation to NT AUTHORITY\SYSTEM level access means that the attacker can bypass all standard security controls and access sensitive system resources, modify critical system files, and establish persistent access to the compromised environment.
The attack vector for this vulnerability is relatively straightforward as it requires only the ability to write files to directories that are part of the Windows search path or to place malicious DLLs in locations that will be searched before the legitimate library location. This makes the vulnerability particularly dangerous in environments where attackers may have limited initial access but can leverage this flaw to gain system-level control. Organizations running Zoho ManageEngine Desktop Central MSP version 10.0.486 are at significant risk, as the vulnerability can be exploited by attackers with minimal technical expertise to achieve complete system compromise. The remediation approach should involve immediate patching of the software to version 10.0.491 or later, which contains the fix for this DLL loading issue. Additionally, system administrators should implement proper access controls, monitor for suspicious DLL loading activities, and consider using application whitelisting to prevent unauthorized DLL execution. The vulnerability highlights the importance of proper DLL loading practices and demonstrates how seemingly minor implementation flaws can result in critical security consequences.