SSD Advisory – LINE Corporation URI Handlers Remote Commands Execution

Vulnerabilities Summary
LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. A user clicking on a specially crafted link, can use this vulnerability to cause the user to insecurely load an arbitrary DLL which can be used to cause arbitrary code execution.
Vendor Response
“We released version 5.8.0 of the modified version LINE PC version (Windows version) on May 31, 2018, and we have automatically updated for all users. The update will be applied automatically on the system side when using the product. Also, when installing the LINE PC version (Windows version) from now on please use the latest installer”.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

SSD Advisory – ZTE uSmartView DLL Hijacking

Vulnerability summary
The following advisory describes an DLL Hijacking found in ZTE uSmartView.
ZTE uSmartView offers: “ZTE provides full series of cloud computing products (including cloud terminals, cloud desktops, virtualization software, and cloud storage products) and end-to-end integrated product, which can be applied to different scenarios such as office, training classroom, multimedia classroom, and business hall.”
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor Response
ZTE has been notified on the 13th of August 2017, several emails were exchanged, but no ETA for a fix or workaround have been provided for the following vulnerabilities.

SSD Advisory – Dashlane DLL Hijacking

Vulnerability Summary
The following advisory describes a DLL Hijacking vulnerability found in Dashlane.
Dashlane is “a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The app’s premium feature enables users to securely sync their data between an unlimited number of devices on all platforms.”
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
We have informed Dashlane of the vulnerability, their answer was: “Since there are many ways to load DLLs/code in a process under Windows, we are currently rewriting part of the installer to install in Program Files (we use %appdata% for the non admin users like many other applications), and you can already replace DLLl/exe if you are privileged to write in the user %appdata%/…/dashlane directory, we won’t change the current way of loading DLLs in the short term.”
At this time there is no solution or workaround for this vulnerability.
CVE: CVE-2017-11657

SSD Advisory – Internet Explorer 11 Rendering Engine DLL Hijacking

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
DLL Hijacking vulnerability is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.
This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.
Vulnerability Details
The Microsoft Internet Explorer 11 rendering engine on Windows 7 contains a remote DLL hijacking vulnerability which searches for a component that by default does not exist in the system. Although the search order is “safe”, the current directory is still included thus allowing for a DLL hijack vulnerability to exist. Several vectors exist since the IE rendering engine is used by a lot of third parties software. In this proof of concept we will use, HTML documents and SVG documents, it is also possible to use Word documents but we will not show how to do this in this advisory.