Bitdefender Antivirus Free Edition DLL Hijacking

Type packetstorm
Reporter Himanshu Mehta
Modified 2016-07-13T00:00:00


*Antivirus_Free_Edition_x64**.exe* loads and executes dll from its  
"application directory".  
For software downloaded with a web browser the applicationdirectory is  
typically the user's "Downloads" directory: see <  
and <> for "prior art" about  
this well-known and well-documented vulnerability.  
If an attacker places malicious DLL in the user's "Downloads" directory  
(for example per "drive-by download" or "social engineering") this  
vulnerability becomes a remote code execution.  
Proof of concept/demonstration:  
1. Create a malicious dll file and save it in your "Downloads" directory.  
2. Download Antivirus_Free_Edition_x64.exe from  
and save it in your "Downloads" directory.  
3. Execute Antivirus_Free_Edition_x64.exe from your "Downloads" directory.  
4. Malicious dll file gets executed.  
Vendor Confirmed: Yes  
Fixed Version: In Next Release.