![]() As a lot SYSTEM and High integrity processes run as a result of a service running we now want to log the boot process of the computer and analyze it with Process Monitor. Once you have done that, go back to the menu bar, then Filter->Save Filter. Result - contains - not found - Include.To do so go to the menu bar, Filter->Filter. Let’s start from the filters: since we are focusing on phantom DLL hijackings, we want to see all the privileged processes failing to load a DLL with an error like “PATH NOT FOUND” or “NO SUCH FILE”. As I have explained in this Twitter thread, you just have to fire up Process Monitor with admin privileges, set some filters and then investigate the results. Hunting for this type of vulnerabilities is actually fairly easy and requires little effort. Make sure we can write to - or create the - path from which the DLL is loaded.CreateFile-like calls in Windows are not used only to create new files, but also to open existing ones Inspect the operation to make sure it happens as a result of a call to a LoadLibrary-like function.Look for CreateFile operations failing with a “NO SUCH FILE” or “PATH NOT FOUND” code.The methodology we will use is the following: Now that we have laid down our targets, let’s look at how we are going to approach the research. ![]() Keep this in mind, we will come back to it later. elevated) if the current user is an administrator, or Medium integrity if the user is a low privilege one. As you can see in the next screenshot, the first runs as SYSTEM as it’s the process of the service itself, while the second runs at High integrity (i.e. This kind of software is usually poorly designed from a security perspective - not shaming ASUS here, it’s just a matter of fact as gaming software is usually not designed with security in mind, it has to be flashy and eye-catching - so I ended up focusing my effort on this particular piece of software.Īt login time, Armoury Crate’s own service, called Armoury Crate Lite Service, spawns a number of processes, the ones that caught my eyes though were Armour圜 and its child Armour圜. Last year I assembled a PC with an ASUS TUF motherboard, so I have this software installed. The main difference is that in standard ones the legitimate DLL exists and is overwritten or proxied by the attacker’s DLL, while in phantom DLL hijackings the process tries to load a non existing DLL, hence the attacker can just drop its malicious DLL in the path and call it a day.īy messing up with Process Monitor I ended up finding a phantom DLL hijacking in ASUS ROG Armoury Crate, a software commonly installed in gaming PCs with a TUF/ROG motherboard to manage LEDs and fans. There are essentially two kinds of DLL hijackings: standard DLL hijackings and phantom DLL hijackings. To make a process load your DLL you have to control the path from which said DLL is loaded. A DLL hijacking revolves around forcing a process to run an attacker controlled DLL instead of the legitimate DLL the process is trying to load, nothing more. Greetings fellow hackers, last here! Recently I’ve been looking for vulnerabilities here and there - too much free time maybe? Specifically, I focused on hunting for DLL hijackings in privileged processes, as they usually lead to a local privilege escalation. The vulnerability has been assigned ID CVE-2021-40981. The issue has been fixed with the release of Armoury Crate Lite Service 4.2.10. To trigger the vulnerability, an administrator must log in after the attacker has placed the malicious DLL at the path C:\ProgramData\ASUS\GamingCenterLib\.DLL. ASUS ROG Armoury Crate ships with a service called Armoury Crate Lite Service which suffers from a phantom DLL hijacking vulnerability that allows a low privilege user to execute code in the context other users, administrators included.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |