VULNERABILITY DETAILS
Chrome contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. The vulnerability exists due to some DLL file is loaded by 'ChromeSetup.exe' improperly. And it allows an attacker to load this DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge.

Impact: Attacker can exploit this vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. This may help attacker to successfully exploit the system if user creates shell as a DLL.

Attackers can exploit this issue remotely by placing the files in a remotely accessible SMB or WebDAV share location. Successful exploits will compromise the application in the context of the currently logged-in user. 

Vulnerability Scoring Details:
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/)
Base Score: 7.2 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Attack Scenario:
1. An attacker locates a vulnerable computer. 
2. The attacker creates a malicious library and a legitimate file associated with the vulnerable application and places them in a user-accessible directory. 
3. The attacker entices an unsuspecting user to use the affected application to open the legitimate file. 
4. When the application executes, the attacker's library file is loaded into the process's address space. 
5. When the application calls the library the attacker has replaced, the attacker's code will run.

VERSION
Chrome Version: Chrome Setup .exe Installer (Google Update 1.3.29.5)
Operating System: Windows 7 Service Pack 1

REPRODUCTION CASE
1. Create a malicious 'PGPmapih.dll' file and save it in your "Downloads" directory.

2. Download 'ChromeSetup.exe' from https://www.google.co.in/chrome/browser/desktop/ and save it in your "Downloads" directory.

3. Execute .exe from your "Downloads" directory. Malicious dll file gets executed.

Mitigations:
1. Do not accept or execute files from untrusted or unknown sources. To reduce the likelihood of successful exploits, do not open or handle files from unknown or untrusted locations. 
2. Run all software as a nonprivileged user with minimal access rights. To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
3. Block external access at the network boundary, unless external parties require service. If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.

Additional Details:
For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability.

Reference:
https://community.rapid7.com/community/infosec/blog/2010/08/23/application-dll-load-hijacking

 

Deleted: POC.zip 805 KB

POC.zip 805 KB Download

Deleted: PGPmapih.dll 14.0 KB

PGPmapih.dll 14.0 KB Download