exploit-db-mirror/exploits/windows/local/44066.md
Offensive Security 36c084c351 DB: 2021-09-03
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

23 lines
No EOL
1.8 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Vulnerability Summary
The following advisory describes a DLL Hijacking vulnerability found in Dashlane.
Dashlane is “a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The apps premium feature enables users to securely sync their data between an unlimited number of devices on all platforms.”
## Credit
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
We have informed Dashlane of the vulnerability, their answer was: “Since there are many ways to load DLLs/code in a process under Windows, we are currently rewriting part of the installer to install in Program Files (we use %appdata% for the non admin users like many other applications), and you can already replace DLLl/exe if you are privileged to write in the user %appdata%/…/dashlane directory, we wont change the current way of loading DLLs in the short term.”
At this time there is no solution or workaround for this vulnerability.
CVE: CVE-2017-11657
## Vulnerability details
When Dashlane starts on a Windows machine it tries to load a DLL (WINHTTP.dll) from the C:\Users\user\AppData\Roaming\Dashlane\ directory, if a malicious attacker puts the DLL in that directory Dashlane will load it and run the code found in it without giving the user any warning of it.
This happens because:
Dashlane does not provide the file WINHTTP.dll.
Writing in %appdata% doesnt require any special privileges, the file called WINHTTP.dll can be placed in the path C:\Users\user\AppData\Roaming\Dashlane\.
Since Dashlane can require admin privileges, an attacker can place the nwinhttp.dll and cause script/command execution as the current user (usually admin).