SSD Advisory – Dashlane DLL Hijacking

Credit to Author: SSD / Maor Schwartz| Date: Thu, 03 Aug 2017 06:30:36 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes a DLL Hijacking vulnerability found in Dashlane.

Dashlane is “a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The app’s premium feature enables users to securely sync their data between an unlimited number of devices on all platforms.”

Credit
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We have informed Dashlane of the vulnerability, their answer was: “Since there are many ways to load DLLs/code in a process under Windows, we are currently rewriting part of the installer to install in Program Files (we use %appdata% for the non admin users like many other applications), and you can already replace DLLl/exe if you are privileged to write in the user %appdata%/…/dashlane directory, we won’t change the current way of loading DLLs in the short term.”

At this time there is no solution or workaround for this vulnerability.

CVE: CVE-2017-11657

Vulnerability details
When Dashlane starts on a Windows machine it tries to load a DLL (WINHTTP.dll) from the C:UsersuserAppDataRoamingDashlane directory, if a malicious attacker puts the DLL in that directory Dashlane will load it and run the code found in it – without giving the user any warning of it.

This happens because:

  • Dashlane does not provide the file WINHTTP.dll.
  • Writing in %appdata% doesn’t require any special privileges, the file called WINHTTP.dll can be placed in the path C:UsersuserAppDataRoamingDashlane.
  • Since Dashlane can require admin privileges, an attacker can place the nwinhttp.dll and cause script/command execution as the current user (usually admin).
Print Friendly, PDF & Email

https://blogs.securiteam.com/index.php/feed