Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormHimanshu MehtaPACKETSTORM:145202
HistoryDec 04, 2017 - 12:00 a.m.

Amazon Audible DLL Hijacking

2017-12-0400:00:00
Himanshu Mehta
packetstormsecurity.com
37

EPSS

0.001

Percentile

46.8%

JSON
`Aloha,  
  
*Introduction:*  
Vendor: Amazon  
Affected Product: Audible Software for Windows PC  
Fixed in: Latest Version released by the vendor  
Vendor Website: https://www.audible.com/  
<https://www.audible.com/sw?pageFlowType=PC_WIZARD>  
Vulnerability Type: Privilege Escalation  
CVE: CVE-2017-17069  
Credit: Himanshu Mehta (@LionHeartRoxx)  
  
*Summary:*  
Audible contains a privilege escalation vulnerability that could allow an  
unauthenticated, remote attacker to execute arbitrary code on the targeted  
system and gain elevated privileges. The vulnerability exists due to some  
DLL file is loaded by 'ActiveSetupN.exe' improperly. And it allows an  
attacker to load this DLL file of the attackeras choosing that could  
execute arbitrary code without the user's knowledge.  
  
*Affected Product*:  
Audible Software for Windows PC  
  
*Tested on*: Windows 7  
  
*Impact:*  
Attacker can exploit this vulnerability to load a DLL file of the  
attacker's choosing that could execute arbitrary code. This may help  
attacker to successfully exploit the system if user creates shell as a DLL.  
  
*Vulnerability Scoring Details:*  
The vulnerability classification has been performed by using the CVSSv2  
scoring system (http://www.first.org/cvss/).  
Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)  
  
  
*More Details*:  
For software downloaded with a web browser the application directory is  
typically the user's "Downloads" directory: see <  
https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-  
and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html  
>  
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about  
this well-known and well-documented vulnerability.  
  
If an attacker places malicious DLL in the user's "Downloads" directory  
(for example per "drive-by download" or "social engineering") this  
vulnerability becomes a remote code execution.  
  
*Proof of concept/demonstration*:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
1. Create a malicious 'dwmapi.dll' file and save it in your "Downloads"  
directory.  
  
2. Download 'ActiveSetupN.exe' from https://www.audible.com/sw?  
pageFlowType=PC_WIZARD and save it in your "Downloads" directory.  
  
3. Execute .exe from your "Downloads" directory.  
  
4. Malicious dll file gets executed.  
  
Chao!!  
Himanshu Mehta  
`

Related

prion 1
cvelist 1
nvd 1
cve 1
prion
prion
Design/Logic Flaw
2017-12-06 05:29:00
cvelist
cvelist
CVE-2017-17069
2017-12-06 05:00:00
nvd
nvd
CVE-2017-17069
2017-12-06 05:29:00
cve
cve
CVE-2017-17069
2017-12-06 05:29:00

EPSS

0.001

Percentile

46.8%

JSON
Related for PACKETSTORM:145202
prion1cvelist1nvd1cve1