CVE-2022-23748 - mDNSResponder.exe Vulnerable to DLL Sideloading Attack

In early 2022, a serious security issue—tracked as CVE-2022-23748—was discovered in the mDNSResponder.exe executable. This flaw makes it possible for attackers to perform a DLL Sideloading attack. For organizations and users running applications that depend on mDNSResponder.exe, especially in enterprise environments, this vulnerability could lead to malicious code running with elevated privileges.

In this post, we break down what this vulnerability is, how it can be exploited, and how you can defend against it.

What is DLL Sideloading?

DLL sideloading is a technique where an attacker places a malicious Dynamic Link Library (DLL) in a location where a legitimate application will load it, thinking it’s a valid component. This often works when executables do not explicitly specify the path to required DLL files, defaulting to searching in the "current working directory" before the system directories. This behavior can let attackers hijack the application by placing a hostile DLL in the search path.

Read more on DLL sideloading here:  
- FireEye: When Security Tools Turn Bad - DLL Sideloading
- MITRE ATT&CK: DLL Search Order Hijacking

About mDNSResponder.exe

mDNSResponder.exe is a Windows service used mainly for Apple's Bonjour zero-configuration networking protocol. It's found in many third-party software distributions—not just Apple products—and often left running in the background.

Details of CVE-2022-23748

The Flaw:  
mDNSResponder.exe does not properly specify the folder where its DLLs should be loaded from. Specifically, when this executable starts, it searches for some DLL files in the same directory it is launched from, or in the directory set as the application's working directory. If an attacker can control what files are there, they can sneak in a fake, malicious DLL.

Example: Exploiting CVE-2022-23748

Let's look at a sample exploit for educational purposes only.

Step 1: Identifying the Target DLL

Assume mDNSResponder.exe looks for example.dll in its working directory if not already loaded from C:\Windows\System32.

You’ll need a custom DLL. Here’s a simple Windows DLL code sample (using C)

#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    if(fdwReason == DLL_PROCESS_ATTACH) {
        MessageBoxA(NULL, "Malicious DLL Loaded!", "CVE-2022-23748", MB_OK);
        // Replace this with your payload
    }
    return TRUE;
}

Compile with

cl /LD malicious.c /Fe:example.dll

When the vulnerable .exe is launched (maybe on startup), it loads your DLL.

Result: The attacker's DLL gets executed under the context of mDNSResponder.exe, inheriting its privileges.

Apply vendor patches:

Always update mDNSResponder.exe and related software. Check for patches from Apple or your software vendor.

Restrict folder permissions:

Limit write privileges on C:\Program Files\Bonjour, C:\Program Files\Common Files\Apple, and similar directories.

References

- CVE-2022-23748 on MITRE
- DLL Sideloading: Microsoft Docs
- FireEye blog on DLL Sideloading

Conclusion

DLL sideloading remains a common attack path due to bad programming practices and legacy code. As shown with CVE-2022-23748, even trusted system executables like mDNSResponder.exe can be abused to load malware. Patch your systems, watch for strange DLLs, and don’t let untrusted files hang out with your executables!

Timeline

Published on: 11/17/2022 23:15:00 UTC
Last modified on: 12/23/2022 17:03:00 UTC