Security

DLL Injection and Code Execution Vulnerability in v54.5.90 lets Hackers spread Malware

A DLL hijacking injection and code execution vulnerability has been found in the cloud based storage solution: Dropbox. The vulnerability was first encountered earlier this week after it was found to affect Dropbox’s version 54.5.90. Since then, the vulnerability has been explored and researched, now making it to the front lines of information for users to beware.

According to the exploit details published by ZwX Security Researcher, the vulnerability is found to exist in DropBox for Windows, in the application’s version 54.5.90 as stated earlier. The vulnerability comes out of loop holes and discrepancies in 4 particular libraries. These libraries are: cryptbase.dll, CRYPTSP.dll, msimg32.dll, and netapi32.dll. The vulnerabilities arise from leeway in these libraries and return to impact and cause the malfunction of these same libraries as well, resulting in an overall tug back of the Dropbox cloud service.

The vulnerability is remotely exploitable. It allows for an unauthenticated malicious attacker to exploit the DLL loading vulnerability by modifying the DLL calls in question so that a maliciously crafted DLL file is mistakenly opened with elevated permissions (as granted for system DLL files). A user whose device is undergoing this exploit won’t realize it until the process has been exploited to inject malware into the system. The DLL injection and execution runs in the background without requiring any user input to run its arbitrary code.

To reproduce the vulnerability, the proof of concept follows that first a malicious DLL file must be put together and then renamed to look like a traditional Dropbox DLL file that the service would typically call upon in the system. Next, this file must be copied into the Dropbox folder in the Windows C drive under Program Files. Once Dropbox is launched in this context, it will call upon a DLL file of the namesake manipulated and once the malicious file is executed in its place by title confusion, the code on the crafted DLL will execute, allowing a remote attacker access to the system to further download and spread malware.

To cope with all of this, unfortunately, there are no mitigation steps, techniques, or updates published by the vendor as of yet either but an update can be expected very soon due to the critical grade severity of the risk of such an exploit.

Close