{"id": "PACKETSTORM:163521", "type": "packetstorm", "bulletinFamily": "exploit", "title": "VMware ThinApp DLL Hijacking", "description": "", "published": "2021-07-16T00:00:00", "modified": "2021-07-16T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/163521/VMware-ThinApp-DLL-Hijacking.html", "reporter": "houjingyi", "references": [], "cvelist": ["CVE-2021-22000"], "immutableFields": [], "lastseen": "2021-07-16T15:00:56", "viewCount": 108, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-22000"]}, {"type": "vmware", "idList": ["VMSA-2021-0015"]}], "rev": 4}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-22000"]}]}, "exploitation": null, "vulnersScore": 0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/163521/vmwarethinapp-dllhijack.txt", "sourceData": "`A few months ago I disclosed IBM(R) Db2(R) Windows client DLL \nHijacking Vulnerability(0day) I found: \n \n \nhttps://seclists.org/fulldisclosure/2021/Feb/73 \n \nIn that post I mentioned the vulnerability did not get fully patched. \n \nAfter I told IBM on hackerone that I disclosed it, hackerone asked me \nto delete the post, IBM apologized and fully patched the \nvulnerability. \n \n \nBut this is not the point today. I found a similar problem in \nVMware-ThinApp-Enterprise-5.2.9-17340778.exe. \n \nAfter install the software create C:\\DummyTLS and rename a dll you \nwant to load to dummyTLS.dll and put it to C:\\DummyTLS\\dummyTLS.dll. \n \nRun \"C:\\Program Files (x86)\\VMware\\VMware ThinApp\\Setup Capture.exe\" \nand C:\\DummyTLS\\dummyTLS.dll will be loaded. \n(other exe like log_monitor.exe/snapshot.exe vulnerable too). \n \n \nThis is also because they use code like: \n \n \nLoadLibraryExW(L\"\\\\DummyTLS\\\\dummyTLS.dll\", 0, 0); \n \nIn short, Windows will treat relative path in LoadLibrary(and many \nother functions) as the path rooted relative to the current disk \ndesignator. \n \nLet us look into code in ntdll.dll. The logic here is: \nKernelBase!LoadLibraryExW->ntdll!LdrpLoadDll->ntdll!LdrpPreprocessDllName. \nIn LdrpPreprocessDllName after calling \nRtlDetermineDosPathNameType_Ustr it will return 4(RtlPathTypeRooted). \n \nAnd after calling LdrpGetFullPath we get \"C:\\DummyTLS\\dummyTLS.dll\"! \n \nYou should not call LoadLibrary with the relative path. In fact, using \nrelative path is dangerous in many cases. \n \n \nThis was fixed in 2021-07-13 as CVE-2021-22000 and the advisory is \nhere : https://www.vmware.com/security/advisories/VMSA-2021-0015.html. \n \n \nFor these vulnerabilities I will post a summary at https://houjingyi233.com. \n \n \n`\n", "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659753002}}
{"vmware": [{"lastseen": "2022-05-26T00:56:14", "description": "3\\. VMware ThinApp update addresses a DLL hijacking vulnerability (CVE-2021-22000) \n\nVMware ThinApp contains a DLL hijacking vulnerability due to insecure loading of DLLs. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "vmware", "title": "VMware ThinApp update addresses a DLL hijacking vulnerability (CVE-2021-22000)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22000"], "modified": "2021-07-13T00:00:00", "id": "VMSA-2021-0015", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0015.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-07-07T14:31:40", "description": "VMware Thinapp version 5.x prior to 5.2.10 contain a DLL hijacking vulnerability due to insecure loading of DLLs. A malicious actor with non-administrative privileges may exploit this vulnerability to elevate privileges to administrator level on the Windows operating system having VMware ThinApp installed on it.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-13T19:15:00", "type": "cve", "title": "CVE-2021-22000", "cwe": ["CWE-427"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22000"], "modified": "2022-06-28T14:11:00", "cpe": [], "id": "CVE-2021-22000", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22000", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}]}
