VCL-ActiveDirectory4Delphi
VCL-ActiveDirectory4Delphi copied to clipboard
EdZava
VCL-ActiveDirectory4Delphi contain DLL hijacking vulnerability
Impact
High! VCL-ActiveDirectory4Delphi (current version) was discovered to contain a DLL hijacking vulnerability that allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
Vulnerability
The file ActiveDirectory.Winapi.DllMapper.pas has two reference to import external DLL from the Windows OS activeds.dll and adsldpc.dll
Here is the current ActiveDirectory.Winapi.DllMapper.pas code:
ref: https://github.com/EdZava/VCL-ActiveDirectory4Delphi/blob/master/src/Winapi/ActiveDirectory.Winapi.DllMapper.pas#L93
Using the Process Monitor (procmon) it possible to see the external import of the binary TestActiveDirectory.exe on runtime execution.
highlighted in red, we can see that be default, if you do not set the path complete of variable, the DLL will be stored in the local directory of the executable, which in my case is C:\Users\mh4x0f\Desktop\activeds.dll and the result is NAME NOT FOUND becasue the file .dll" cannot be faulted into the current directory.
The vulnerability occurs because the VCL-ActiveDirectory4Delphi not set the complete path into code for import only from System32/x.dll
POC
The exploration can be simple in this demo I will show only exploit the activeds.dll but with same modification is possible to apply for adsldpc.dll.
I checked the source of this project the functions you are using that come from the activeds.dll and i found.
But the attacker can find this using some PE file explorer, i used the die.exe (detect it easy) checkout.
After that, I wrote a code .dll and proxy the functions that binary needed to work fine.
Then, i rename the project.dll to activeds.dll and moved it to the same path of executable TestActiveDirectory.exe
After that, it was only necessary to execute the binary TestActiveDirectory.exe that will see the calc.exe execution the same time.
Recommendation
The recommendation is to pass the complete path on System32, the change will force the search file activeds.dll to be in the system directory C:\Windows\System32\activeds.dll the same modification can be added for adsldpc.dll
@mh4x0f What an incredible job! 👏 I'll fix it as soon as possible.
Thank you very much for your contribution.
Hello @EdZava did you update the complete sources since this fantastic job of @mh4x0f ? Thank you !
@jmgway, I haven't been able to do it yet. But the project is open to contributions, so if you'd like to do it, we'd be happy to review and accept your PR.
HelloThanks for answering !Ok fine !Did you test it with FMX ?Jmichel Envoyé de mon iPhoneLe 8 oct. 2024 à 20:59, Zava @.***> a écrit : @jmgway, I haven't been able to do it yet. But the project is open to contributions, so if you'd like to do it, we'd be happy to review and accept your PR.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>
@jmgway It should work with FMX with little effort. However, it's important to note that this project uses Windows-specific libraries, so it would only work on that operating system.