CyFox researchers have discovered a DLL planting/hijacking vulnerability in popular media center application Stremio, which could be exploited by attackers to execute code on the victim’s system, steal information, and more.
About the vulnerability
DLLs (dynamic link libraries) are files that can be dynamically linked and shared by multiple programs concurrently, and are crucial to Windows and many applications (including Stremio).
“They house standard functions shared by various applications, preventing code duplication and reducing executable file size. Moreover, DLLs grant access to system resources like device divers, graphics processing, and networking. This modular approach optimizes memory management by loading DLLs into memory when necessary, minimizing the memory footprint of running applications,” CyFox researchers explained.
DLLs provide much of Windows’ functionality. When a user runs a program on Windows, the program looks for and uses the DLLs that it needs run as intended.
The vulnerability the researchers discovered affects Stremio for Windows v4.4.
It arises from the use of two Windows API functions, LoadLibraryA and LoadLibraryExA. The latter enables attackers to plant malicious DLLs in the application directory.
They also identified four vulnerable DLL files: SspiCli.dll, RTWorkQ.dll, profapi.dll, and UMPDC.dll.
They used Msfvenom to produce a malicious .dll file that creates a reverse shell and, when they successfully transferred it to the remote target, they renamed it to UMPDC.dll and placed it inside the directory C:\Users\%username%\Local\Programs\LNV\Stremio-4\ path.
Effectively, if an attacker knows that a vulnerable Stremio version is installed on the system, they can program a DLL file that will achieve unauthorized access every time the system is powered on. And if the user executes the Stremio software with administrator rights, the attacker can get the same rights as the user.
Possible attacks
Nir Yehoshua, Chief Researcher and Team Leader at CyFox, says that to exploit this DLL planting/hijacking vulnerability, an attacker has to first gain unauthorized access to the victim’s system so they can transfer the malicious DLL file to the software’s path and then wait for the user to run the vulnerable software.
“DLL hijacking vulnerabilities present a significant risk, as they enable attackers to execute arbitrary code with the privileges of the targeted application or even escalate their privileges on the system,” CyFox researchers added.
DLL hijacking can also be leveraged for stealing sensitive information and to achieve broader system compromise and execute lateral movement, they noted.
Yehoshua told Help Net Security that CyFox has tried to reach the Stremio security team to share their discovery, but that they haven’t responded.
“It’s important to note that they tried to reach them three times. The lack of response means that the vendor didn’t release a security update that addresses the problem. Because the vendor didn’t respond to CyFox’s attempts at communication, and it’s been 90 days since they sent their first email, CyFox is able to publish their findings.”