[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Evernote for Windows DLL Loading Remote Code Execution
From: Himanshu Mehta <mehta.himanshu21 () gmail ! com>
Date: 2016-10-14 6:50:47
Message-ID: CAAYZd=mMYyWXDSw=tvrGpAa18mNatBVDtQNyuH6hXmLrVFenrw () mail ! gmail ! com
[Download RAW message or body]
Aloha,
Summary
Evernote contains a DLL hijacking vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system. The vulnerability exists due to some DLL file is loaded by
'Evernote_6.1.2.2292.exe' improperly. And it allows an attacker to load
this DLL file of the attacker's choosing that could execute arbitrary code
without the user's knowledge.
Affected Product:
Evernote 6.1.2.2292
Fixed in: Evernote for Windows 6.3 (WINNOTE-15637
<https://evernote.com/security/updates/>)
Tested on: Windows 7
Impact
Attacker can exploit this vulnerability to load a DLL file of the
attacker's choosing that could execute arbitrary code. This may help
attacker to Successful exploit the system if user creates shell as a DLL.
Vulnerability Scoring Details
The vulnerability classification has been performed by using the CVSSv2
scoring system (http://www.first.org/cvss/).
Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Create a malicious 'dwmapi.dll' or 'ntmarta.dll' file and save it in
your "Downloads" directory.
2. Download 'Evernote_6.1.2.2292.exe' from and save it in your "Downloads"
directory.
3. Execute .exe from your "Downloads" directory.
4. Malicious dll file gets executed.
Chao!!
Himanshu Mehta
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic