Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security bug] Vulnerabilities in the DLL injector module #40

Open
ikerl opened this issue Feb 22, 2024 · 1 comment
Open

[Security bug] Vulnerabilities in the DLL injector module #40

ikerl opened this issue Feb 22, 2024 · 1 comment

Comments

@ikerl
Copy link

ikerl commented Feb 22, 2024

I have found two issues that can be chained by an attacker with high privileges in order to inject arbitrary hooks into any monitored process in an endpoint running openEDR.

1. Unsigned DLL Loading in the Injector Module

The EDR's injector driver loads specific DLLs into monitored processees to hook certain Windows APIs. However, the driver does not check correctly the loaded DLLs' signatures at all. This allows an attacker with high integrity privileges to use this legitimate driver, signed by Comodo, to load a malicious DLLs and perform userland hooking.

The isDllVerified() function is not being used and does not work correctly in current Windows versions.

2. DLL Hijacking in the Injector Module

The injector driver searches for DLLs to inject into the monitored processes in a predefined list of paths in priority order. The issue stems from the fact that, even though the second of these paths is properly protected, the first is not. This allows a user with high integrity privileges to drop a malicious DLL into this path, or overwrite a legitimate DLL in such path.

@jayprakashkumar1
Copy link

@ikerl Have you succeeded in building the project? I am struggling to build it. Please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants