Impact
High! VCL-ActiveDirectory4Delphi (current version) was discovered to contain a DLL hijacking vulnerability that allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
Vulnerability
The file ActiveDirectory.Winapi.DllMapper.pas has two reference to import external DLL from the Windows OS activeds.dll and adsldpc.dll
Here is the current ActiveDirectory.Winapi.DllMapper.pas code:
ref: https://github.com/EdZava/VCL-ActiveDirectory4Delphi/blob/master/src/Winapi/ActiveDirectory.Winapi.DllMapper.pas#L93
Using the Process Monitor (procmon) it possible to see the external import of the binary TestActiveDirectory.exe on runtime execution.
highlighted in red, we can see that be default, if you do not set the path complete of variable, the DLL will be stored in the local directory of the executable, which in my case is C:\Users\mh4x0f\Desktop\activeds.dll and the result is NAME NOT FOUND becasue the file .dll" cannot be faulted into the current directory.
The vulnerability occurs because the VCL-ActiveDirectory4Delphi not set the complete path into code for import only from System32/x.dll
POC
The exploration can be simple in this demo I will show only exploit the activeds.dll but with same modification is possible to apply for adsldpc.dll.
I checked the source of this project the functions you are using that come from the activeds.dll and i found.
But the attacker can find this using some PE file explorer, i used the die.exe (detect it easy) checkout.
After that, I wrote a code .dll and proxy the functions that binary needed to work fine.
Then, i rename the project.dll to activeds.dll and moved it to the same path of executable TestActiveDirectory.exe
After that, it was only necessary to execute the binary TestActiveDirectory.exe that will see the calc.exe execution the same time.
Recommendation
The recommendation is to pass the complete path on System32, the change will force the search file activeds.dll to be in the system directory C:\Windows\System32\activeds.dll the same modification can be added for adsldpc.dll
Impact
High! VCL-ActiveDirectory4Delphi (current version) was discovered to contain a DLL hijacking vulnerability that allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
Vulnerability
The file
ActiveDirectory.Winapi.DllMapper.pashas two reference to import external DLL from the Windows OSactiveds.dllandadsldpc.dllHere is the current
ActiveDirectory.Winapi.DllMapper.pascode:ref: https://github.com/EdZava/VCL-ActiveDirectory4Delphi/blob/master/src/Winapi/ActiveDirectory.Winapi.DllMapper.pas#L93
Using the
Process Monitor (procmon)it possible to see the external import of the binary TestActiveDirectory.exe on runtime execution.highlighted in red, we can see that be default, if you do not set the path complete of variable, the DLL will be stored in the local directory of the executable, which in my case is
C:\Users\mh4x0f\Desktop\activeds.dlland the result isNAME NOT FOUNDbecasue the file .dll" cannot be faulted into the current directory.The vulnerability occurs because the VCL-ActiveDirectory4Delphi not set the complete path into code for import only from
System32/x.dllPOC
The exploration can be simple in this demo I will show only exploit the
activeds.dllbut with same modification is possible to apply foradsldpc.dll.I checked the source of this project the functions you are using that come from the
activeds.dlland i found.But the attacker can find this using some PE file explorer, i used the die.exe (detect it easy) checkout.
After that, I wrote a code .dll and proxy the functions that binary needed to work fine.
Then, i rename the project.dll to
activeds.dlland moved it to the same path of executableTestActiveDirectory.exeAfter that, it was only necessary to execute the binary
TestActiveDirectory.exethat will see the calc.exe execution the same time.Recommendation
The recommendation is to pass the complete path on System32, the change will force the search file activeds.dll to be in the system directory
C:\Windows\System32\activeds.dllthe same modification can be added foradsldpc.dll