CVE CyberSecurity Database News

CVE-2023-49114 - DLL Hijacking in Qognify VMS Client Viewer Lets Local Users Escalate Privileges

Poster -

A new security hole, tracked as CVE-2023-49114, has been discovered in the Qognify VMS Client Viewer, specifically in versions 7.1 and above. This problem is a DLL hijacking vulnerability, which can let local attackers run their own code and possibly get higher system privileges, depending on how the program is being used. Below, we break down how this flaw works, how it can be exploited, and what you can do to protect your systems.

What is DLL Hijacking?

DLL hijacking is a type of attack where an application loads a Dynamic Link Library (DLL) from a location controlled by an attacker, usually due to unsafe search paths. If the malicious library is loaded, it can run the attacker's code with the same privileges as the application.

Microsoft’s official documentation on DLL hijacking

About Qognify VMS Client Viewer

Qognify VMS Client Viewer is a widely used application for viewing video feeds and managing video systems in enterprise environments, like corporate buildings, campuses, and public spaces.

Details of CVE-2023-49114

Researchers discovered that Qognify VMS Client Viewer does not securely load certain DLL files on startup. Instead, it relies on the insecure default Windows DLL search order, which gives attackers a chance to trick the program into running a fake DLL if certain conditions are met.

Affected Versions:
Qognify VMS Client Viewer 7.1 and above.

Conditions for Exploit

- Local access is required: The attacker needs the ability to place files on the local system where the Viewer app is installed.
- The application must be run by a user account with elevated (admin) privileges, or the resulting process must elevate privileges.

How the Exploit Works

1. The attacker figures out which DLL file the Viewer tries to load on startup (but can’t find in its folder).
2. The attacker creates a malicious version of that DLL, with code that does something harmful - like open a backdoor, install malware, or run system commands.
3. The attacker places this fake DLL in the same directory as the Qognify VMS Client Viewer executable (or another directory checked before the real DLL).
4. When the Viewer runs, it loads the attacker’s DLL instead of the real one, and the bad code is executed.

Proof of Concept (PoC) DLL

Below is a simple example of a malicious DLL written in C. When loaded, it will just launch the Windows Calculator (as proof it worked). In real attacks, this code would be replaced with something more dangerous.

// Save as evil.dll and compile with a C compiler like Visual Studio's cl.exe
#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule,
                      DWORD  ul_reason_for_call,
                      LPVOID lpReserved)
{
    if (ul_reason_for_call == DLL_PROCESS_ATTACH)
    {
        WinExec("calc.exe", SW_SHOW); // Launches Calculator as a harmless example
    }
    return TRUE;
}

Compile it:

cl.exe /LD evil.c /link /OUT:missingdll.dll

Real-World Impact

- Privilege Escalation: If the Viewer is started with admin rights, the attacker’s code will also run as admin, potentially taking control of the system.

Persistence: Attackers may use this method to plant backdoors that persist after reboots.

- Evasion: Traditional antivirus tools may not detect the attack, as it uses legit Windows features.

Mitigation

1. Update Qognify VMS Client Viewer: As of writing, check Qognify’s security updates page for patched versions or advisories.

AppLocker or Similar: Use Windows features to block untrusted DLLs from loading.

4. Monitor for Strange DLLs: Watch for any DLLs appearing in program folders that you did not install.

References and Further Reading

- Original Disclosure (Packet Storm)
- NIST National Vulnerability Database CVE-2023-49114
- Microsoft: Dynamic Link Library Search Order

Conclusion

CVE-2023-49114 is another reminder that even trusted security software can be vulnerable if not coded defensively. Always keep software updated, restrict folder permissions, and monitor your endpoints for suspicious files or activities. If you use Qognify VMS Client Viewer 7.1 or newer, take steps to protect your systems now!


*If you found this post helpful, please share it to raise awareness. If you find new details about this vulnerability, feel free to comment below!*

Timeline

Published on: 02/26/2024 16:27:47 UTC
Last modified on: 08/14/2024 15:35:03 UTC