| Titel | Captura v8.0.0 DLL Sideloading/hijacking via insecure search order |
|---|
| Beschreibung | Hi team,
during my research I found that Captura v8.0.0 is vulnerable to DLL hijacking due to the insecure search order of the DLL libraries loaded onto the application. Specifically CRYPTBASE.dll library. The application searches for this dll in the location in which the application is installed/located, read and writable by authenticated users. Cryptbase.dll default location is within the system32 folder which is supposed to be admin-only access. If the installation of the tool is located in program files for a specific user, or within a shared folder, a malicious threat actor could write a malicious CRYPTBASE.dll resulting in dll hijacking. PoC will be posted as soon as CVE is assigned.
I have spoken to one of your representatives, about my attempt to contact the developer but no response. The developer has a blog about the discontinued project, and this software is no longer supported, but still widely used by other people. Recommendation would be to find other alternatives tools that are still supported.
Link to the open-source vulnerable software
Captura v8.0.0 - https://github.com/MathewSachin/Captura
No advisory link since the software is no longer supported, but I thought it might worth reporting. I also developed a PoC that granted me reverse shell. |
|---|
| Benutzer | ignatiusmichael (UID 28987) |
|---|
| Einreichung | 03.06.2023 18:02 (vor 3 Jahren) |
|---|
| Moderieren | 04.06.2023 01:07 (7 hours later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 230668 [Captura bis 8.0.0 CRYPTBASE.dll erweiterte Rechte] |
|---|
| Punkte | 17 |
|---|