VCL-ActiveDirectory4Delphi icon indicating copy to clipboard operation
VCL-ActiveDirectory4Delphi copied to clipboard

Published 20 hours ago verified publisher icon EdZava

VCL-ActiveDirectory4Delphi contain DLL hijacking vulnerability

Open mh4x0f opened this issue 8 months ago • 2 comments

Impact

High! VCL-ActiveDirectory4Delphi (current version) was discovered to contain a DLL hijacking vulnerability that allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.

Vulnerability

The file ActiveDirectory.Winapi.DllMapper.pas has two reference to import external DLL from the Windows OS activeds.dll and adsldpc.dll

Here is the current ActiveDirectory.Winapi.DllMapper.pas code:

image ref: https://github.com/EdZava/VCL-ActiveDirectory4Delphi/blob/master/src/Winapi/ActiveDirectory.Winapi.DllMapper.pas#L93

Using the Process Monitor (procmon) it possible to see the external import of the binary TestActiveDirectory.exe on runtime execution.

image

highlighted in red, we can see that be default, if you do not set the path complete of variable, the DLL will be stored in the local directory of the executable, which in my case is C:\Users\mh4x0f\Desktop\activeds.dll and the result is NAME NOT FOUND becasue the file .dll" cannot be faulted into the current directory.

The vulnerability occurs because the VCL-ActiveDirectory4Delphi not set the complete path into code for import only from System32/x.dll

POC

The exploration can be simple in this demo I will show only exploit the activeds.dll but with same modification is possible to apply for adsldpc.dll.

I checked the source of this project the functions you are using that come from the activeds.dll and i found. image

But the attacker can find this using some PE file explorer, i used the die.exe (detect it easy) checkout.

image

After that, I wrote a code .dll and proxy the functions that binary needed to work fine.

image

Then, i rename the project.dll to activeds.dll and moved it to the same path of executable TestActiveDirectory.exe

image

After that, it was only necessary to execute the binary TestActiveDirectory.exe that will see the calc.exe execution the same time.

image

Recommendation

The recommendation is to pass the complete path on System32, the change will force the search file activeds.dll to be in the system directory C:\Windows\System32\activeds.dll the same modification can be added for adsldpc.dll

mh4x0f avatar Nov 01 '23 16:11 mh4x0f