| Titel | Mobatek MobaXterm 26.1.0.5456 Uncontrolled Search Path -- DLL hijacking with msimg32.dll |
|---|
| Beschreibung | Vulnerability Description:
A DLL Search Order Hijacking vulnerability has been identified in MobaXterm Personal Edition version 26.1.0.5456 (Portable). The vulnerability occurs because the application insecurely loads the system library msimg32.dll during the startup of MobaXterm_Personal_26.1.exe.
During initialization, the executable attempts to resolve the required library msimg32.dll using the default Windows DLL search order. Instead of explicitly loading the legitimate library from the Windows system directory (e.g., C:\Windows\SysWOW64), the application first searches for the DLL within its own application directory.
If a file named msimg32.dll exists in the same directory as MobaXterm_Personal_26.1.exe, the Windows loader will prioritize loading this local copy before the legitimate system library. Because the application does not enforce a secure loading mechanism (such as specifying an absolute path or using secure DLL loading flags), this behavior introduces a DLL hijacking condition.
As a result, an attacker with local filesystem access can place a malicious msimg32.dll into the application directory. When the application is launched, the malicious DLL will be loaded and executed within the context of the MobaXterm process.
Attack Scenario:
The vulnerability can be exploited by an attacker who is able to write files to the directory containing MobaXterm_Personal_26.1.exe. The attacker can craft a malicious msimg32.dll containing arbitrary code and place it in the same directory as the application executable.
When the user launches the application, Windows will load the attacker-supplied DLL instead of the legitimate system library due to the default DLL search order behavior. Consequently, the malicious code embedded in the DLL will execute within the context of the MobaXterm process.
In addition to direct local access, the vulnerability may also be exploitable through social engineering techniques. For example, an attacker could distribute a compressed archive or software bundle containing the application along with a crafted msimg32.dll, or trick a user into copying the malicious DLL into the application directory via file-sharing or download scenarios.
Once the application is executed, the malicious library will be loaded automatically without additional user interaction.
Impact
Successful exploitation of this vulnerability allows arbitrary code execution in the security context of the user running the application.
If the application is executed with elevated privileges (for example, when the user launches the program using Run as Administrator), the malicious DLL will also execute with the same privilege level. In such cases, an attacker may be able to:
- Execute arbitrary commands on the affected system
- Establish reverse shell access
- Install persistence mechanisms
- Perform further post-exploitation activities
This may lead to local privilege escalation and full compromise of the affected system depending on the execution context.
Proof of Concept (PoC)
The following steps demonstrate a basic exploitation workflow:
1. Create a malicious msimg32.dll containing attacker-controlled code.
2. Place the malicious DLL in the same directory as MobaXterm_Personal_26.1.exe.
3. Launch the application.
4. The malicious DLL will be loaded and executed instead of the legitimate system library.
Demonstration
The accompanying Proof-of-Concept video demonstrates two exploitation scenarios:
1. Standard user execution – the application is launched under a normal user account, resulting in a reverse shell running with user-level privileges.
2. Elevated execution – the application is launched using Run as Administrator, resulting in a reverse shell with elevated privileges on the target system. |
|---|
| Quelle | ⚠️ https://drive.google.com/file/d/17bbNDzfoD3NNPlUMkSYs8bVzVbbwddnU/view |
|---|
| Benutzer | haehanse (UID 95883) |
|---|
| Einreichung | 12.03.2026 18:21 (vor 1 Monat) |
|---|
| Moderieren | 17.04.2026 07:30 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 358020 [Mobatek MobaXterm Home Edition bis 26.1 msimg32.dll erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|