Untrusted Search Path in ventoy/ventoy

Valid

Reported on

Mar 8th 2022

Description

A current working directory type of DLL hijacking vulnerability is found in all executbales in ventoy-1.0.70-windows.zip, including:

Ventoy2Disk.exe
VentoyPlugson.exe
VentoyVlnk.exe

Proof of Concept

Step 1 : Craft a malicious x86 dll named as "TextShaping.dll" and place in the same directory of the executable

Step 2: Double click the executable

The malicious dll should have been loaded and a cmd shell with admin privilege will be prompted since those executables required admin privilege by design. (*cmd shell can be obtained is due to the payload the execute cmd in malicious DLL)

Impact

This vulnerability is capable of letting attacker to do arbitrary code execution and even privilege escalation.

References

We are processing your report and will contact the ventoy team within 24 hours. 2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the ventoy team and are waiting to hear back 2 years ago

We have sent a follow up to the ventoy team. We will try again in 7 days. 2 years ago

longpanda

commented 2 years ago

Maintainer

Thanks for the report. I'm not good at windows programming, how to fix such problem?

James Yeung

commented 2 years ago

Researcher

Desktop applications can control the location from which a DLL is loaded by specifying a full path, using DLL redirection, or by using a manifest. If none of these methods are used, the system searches for the DLL at load time as described in this section.

https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection https://docs.microsoft.com/en-us/windows/win32/sbscs/manifests

We have sent a second follow up to the ventoy team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the ventoy team. This report is now considered stale. 2 years ago

longpanda validated this vulnerability 2 years ago

James Yeung has been awarded the disclosure bounty

The fix bounty is now up for grabs

longpanda

commented 2 years ago

Maintainer

Can you give a TextShaping.dll for test?

James Yeung

commented 2 years ago

Researcher

https://github.com/jfmaes/CMDLL

You may compile a x86 DLL and name it (it will spawn a cmd.exe as PoC), let me know if you cant do it and I can share you the dll via email.

longpanda

commented 2 years ago

Maintainer

OK. I got the dll.

longpanda

commented 2 years ago

Maintainer

Please test with this CI release: https://github.com/ventoy/Ventoy/actions/runs/2095286739

James Yeung

commented 2 years ago

Researcher

@maintainer, the issue has been fixed. Thanks!

We have sent a fix follow up to the ventoy team. We will try again in 7 days. 2 years ago

longpanda

commented 2 years ago

Maintainer

The latest Ventoy 1.0.73 release has fixed it. https://github.com/ventoy/Ventoy/releases/tag/v1.0.73

Jamie Slome

commented 2 years ago

Admin

@ventoy - are you able to mark as fixed using the drop-down below?

We have sent a second fix follow up to the ventoy team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the ventoy team. This report is now considered stale. 2 years ago

longpanda marked this as fixed in 1.0.73 with commit dcc588 2 years ago

longpanda has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the ventoy team within 24 hours. 2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the ventoy team and are waiting to hear back 2 years ago

We have sent a follow up to the ventoy team. We will try again in 7 days. 2 years ago

longpanda

commented 2 years ago

Maintainer

Thanks for the report. I'm not good at windows programming, how to fix such problem?

James Yeung

commented 2 years ago

Researcher

https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection https://docs.microsoft.com/en-us/windows/win32/sbscs/manifests

We have sent a second follow up to the ventoy team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the ventoy team. This report is now considered stale. 2 years ago

longpanda validated this vulnerability 2 years ago

James Yeung has been awarded the disclosure bounty

The fix bounty is now up for grabs

longpanda

commented 2 years ago

Maintainer

Can you give a TextShaping.dll for test?

James Yeung

commented 2 years ago

Researcher

https://github.com/jfmaes/CMDLL

You may compile a x86 DLL and name it (it will spawn a cmd.exe as PoC), let me know if you cant do it and I can share you the dll via email.

longpanda

commented 2 years ago

Maintainer

OK. I got the dll.

longpanda

commented 2 years ago

Maintainer

Please test with this CI release: https://github.com/ventoy/Ventoy/actions/runs/2095286739

James Yeung

commented 2 years ago

Researcher

@maintainer, the issue has been fixed. Thanks!

We have sent a fix follow up to the ventoy team. We will try again in 7 days. 2 years ago

longpanda

commented 2 years ago

Maintainer

The latest Ventoy 1.0.73 release has fixed it. https://github.com/ventoy/Ventoy/releases/tag/v1.0.73

Jamie Slome

commented 2 years ago

Admin

@ventoy - are you able to mark as fixed using the drop-down below?

We have sent a second fix follow up to the ventoy team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the ventoy team. This report is now considered stale. 2 years ago

longpanda marked this as fixed in 1.0.73 with commit dcc588 2 years ago

longpanda has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation