Issue metadata
Sign in to add a comment
|
Security: MIssing Dll Search in Chrome.
Reported by
engfilip...@gmail.com,
Nov 10 2016
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The Google Chrome try loading a unexisting dll from system32 directory.The dll atlthunk.dll does not exist allowing a attacker to place a malicious dll on system32. VERSION Chrome Version: [54.0.2840.99 m] stable Operating System: [Windows, 7 Ultimate, service pack 1] REPRODUCTION CASE To bypass UAC I use "wusa.exe" technique to drop the fake dll into the system32.
,
Nov 11 2016
The issue is aggravated on Windows 7 because the DLL is not present, resulting in an exploitable DLL Hijack vulnerability, even tho the SafeDllSerchMode flag is enabled. I have tested on 3 distinct Windows 7 installations, and none of them ship the atlthunk.dll. I cant confirm why or on what circumstances the dll is/isnt available on Windows 7. But a patch to the LoadLibrary call should mitigate the issue on the vulnerable scenarios. Usually dll hijacking attacks require (low) access to the machine. If a low privileged user is infected, a malware is capable of injecting code into chrome process.
,
Nov 11 2016
Hi, like we mentioned, we do not consider DLL hijacking to be a vulnerability in Chrome. See https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- for some more details behind this point of view. |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by rickyz@chromium.org
, Nov 10 2016