Dashlane 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124146 漏洞类型 代码问题
发布时间 2017-08-03 更新时间 2020-08-20
CVE编号 CVE-2017-11657 CNNVD-ID CNNVD-201707-1304
漏洞平台 Windows CVSS评分 4.4
|漏洞来源
https://www.exploit-db.com/exploits/44066
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201707-1304
|漏洞详情
Dashlane是美国Dashlane公司的一款适用于mobile平台的系统安全类软件。 Dashlane中存在安全漏洞。本地攻击者可通过向\\%APPDATA\\%Dashlane目录中放置WINHTTP.dll文件利用该漏洞获取权限。
|漏洞EXP
## Vulnerability Summary
The following advisory describes a DLL Hijacking vulnerability found in Dashlane.

Dashlane is “a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The app’s premium feature enables users to securely sync their data between an unlimited number of devices on all platforms.”

## Credit
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

## Vendor response
We have informed Dashlane of the vulnerability, their answer was: “Since there are many ways to load DLLs/code in a process under Windows, we are currently rewriting part of the installer to install in Program Files (we use %appdata% for the non admin users like many other applications), and you can already replace DLLl/exe if you are privileged to write in the user %appdata%/…/dashlane directory, we won’t change the current way of loading DLLs in the short term.”

At this time there is no solution or workaround for this vulnerability.

CVE: CVE-2017-11657

## Vulnerability details
When Dashlane starts on a Windows machine it tries to load a DLL (WINHTTP.dll) from the C:\Users\user\AppData\Roaming\Dashlane\ directory, if a malicious attacker puts the DLL in that directory Dashlane will load it and run the code found in it – without giving the user any warning of it.

This happens because:

Dashlane does not provide the file WINHTTP.dll.
Writing in %appdata% doesn’t require any special privileges, the file called WINHTTP.dll can be placed in the path C:\Users\user\AppData\Roaming\Dashlane\.
Since Dashlane can require admin privileges, an attacker can place the nwinhttp.dll and cause script/command execution as the current user (usually admin).
|参考资料

来源:MISC
链接:https://blogs.securiteam.com/index.php/archives/3357