cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
logesh1402
Level 3

Installshield 2018 DLL hijacking vulnerability

Invoking 'DialogSetInfo ( nInfoType, szInfoString, nParameter )' method before calling any dialogs in installscript projects (Even tried along with SdInit() as per documentation) is vulnerable for dll hijacking which will result in Privilege Escalation, Remote Code Execution.

Placing the crafted dll in any environmental path and digging with the help of process monitor we can find that the exe is started searching for the dll named !.DLL which is not present in any of the trusted windows directories.

Steps To Reproduce:
1. create a crafted dll with reverse shell payload / calc execution
2. place the dll in any environmental path folder
3. Create a new installscript project in Installshield 2018 R2.
add the below lines before invoking dialogs (typically before welcome panel).

DialogSetInfo (DLG_INFO_ALTIMAGE,SUPPORTDIR ^ "wizardlogo.bmp", FALSE);

4). Build and try installing the exe (in my case exploited dll will launch calc.exe).

Based on the analysis the dll named !.DLL is the missing one which is the root cause of this vulnerability.
we can't get the usage details of !.DLL.
Dll file is attached for reference

 


Thanks,
Logesh E.

0 Kudos
(1) Reply
Jenifer
Flexera Alumni

Hi @logesh1402 ,

To get more details of the issue:

  • You had created your own dll which has calc execution to be launched(what is the name of this dll,hope the mentioned exploited dll is this)
  • That you are using InstallScript Project?
  • You renamed the dll file into !.dll file if not how did you get that file?

With precise details in place,will help us to assist you more!!

Thanks,

Jenifer

0 Kudos