Bitdefender Antivirus Free Edition DLL Hijacking

2016-07-13T00:00:00
ID PACKETSTORM:137900
Type packetstorm
Reporter Himanshu Mehta
Modified 2016-07-13T00:00:00

Description

                                        
                                            `Aloha,  
  
*Antivirus_Free_Edition_x64**.exe* loads and executes dll from its  
"application directory".  
  
For software downloaded with a web browser the applicationdirectory is  
typically the user's "Downloads" directory: see <  
https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html  
>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html  
>  
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about  
this well-known and well-documented vulnerability.  
  
  
If an attacker places malicious DLL in the user's "Downloads" directory  
(for example per "drive-by download" or "social engineering") this  
vulnerability becomes a remote code execution.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. Create a malicious dll file and save it in your "Downloads" directory.  
  
2. Download Antivirus_Free_Edition_x64.exe from  
http://www.bitdefender.com/solutions/free.html  
and save it in your "Downloads" directory.  
  
3. Execute Antivirus_Free_Edition_x64.exe from your "Downloads" directory.  
  
4. Malicious dll file gets executed.  
  
Vendor Confirmed: Yes  
Fixed Version: In Next Release.  
  
Chao!!  
`