{"id":8565,"date":"2017-08-03T14:19:10","date_gmt":"2017-08-03T22:19:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/03\/news-2338\/"},"modified":"2017-08-03T14:19:10","modified_gmt":"2017-08-03T22:19:10","slug":"news-2338","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/08\/03\/news-2338\/","title":{"rendered":"SSD Advisory \u2013 Dashlane DLL Hijacking"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 03 Aug 2017 06:30:36 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3357\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3357');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a DLL Hijacking vulnerability found in Dashlane.<\/p>\n<p><a href=\"https:\/\/www.dashlane.com\/\" target=\"_blank\">Dashlane<\/a> is &#8220;a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The app&#8217;s premium feature enables users to securely sync their data between an unlimited number of devices on all platforms.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> We have informed Dashlane of the vulnerability, their answer was: &#8220;Since there are many ways to load DLLs\/code in a process under Windows, we are currently rewriting part of the installer to install in Program Files (we use %appdata% for the non admin users like many other applications), and you can already replace DLLl\/exe if you are privileged to write in the user %appdata%\/&#8230;\/dashlane directory, we won\u2019t change the current way of loading DLLs in the short term.&#8221; <\/p>\n<p>At this time there is no solution or workaround for this vulnerability.<\/p>\n<p>CVE: CVE-2017-11657<br \/> <span id=\"more-3357\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> When Dashlane starts on a Windows machine it tries to load a DLL (WINHTTP.dll) from the <em>C:UsersuserAppDataRoamingDashlane<\/em> directory, if a malicious attacker puts the DLL in that directory Dashlane will load it and run the code found in it &#8211; without giving the user any warning of it.<\/p>\n<p>This happens because:<\/p>\n<ul>\n<li>Dashlane does not provide the file <em>WINHTTP.dll<\/em>.<\/li>\n<li>Writing in %appdata% doesn&#8217;t require any special privileges, the file called <em>WINHTTP.dll<\/em> can be placed in the path <em>C:UsersuserAppDataRoamingDashlane<\/em>.<\/li>\n<li>Since Dashlane can require admin privileges, an attacker can place the nwinhttp.dll and cause script\/command execution as the current user (usually admin).<\/li>\n<\/ul>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3357\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 03 Aug 2017 06:30:36 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a DLL Hijacking vulnerability found in Dashlane. Dashlane is &#8220;a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The app&#8217;s premium feature enables users to securely sync their data between an unlimited number of devices on all platforms.&#8221; Credit An &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3357\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Dashlane DLL Hijacking<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[13327,10757],"class_list":["post-8565","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-dll-hijacking","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8565"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8565\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}