Headline
CVE-2022-33036: Vuln/Embarcadero-Dev-Cpp-CreateProcessW-Misuse-Binary-Hijack.md at main · ycdxsb/Vuln
A binary hijack in Embarcadero Dev-CPP v6.3 allows attackers to execute arbitrary code via a crafted .exe file.
Embarcadero-Dev-Cpp CreateProcessW Misuse Binary Hijack****Basic Info
Software name:embarcadero dev-cpp
download:https://github.com/Embarcadero/Dev-Cpp
Vuln Version:v6.3 and before
Description:When users run Dev-cpp in windows, we can see that it will try to run C:\Program.exe, if C:\Program.exe not exists, then it will run C:\Program Files (x86)\Embarcadero\Dev-Cpp\TDM-GCC-64\bin\gcc.exe. So an attacker can put C:\Program.exe in C:, and it will execute arbitrary code when other users run Dev-Cpp.
Analyse
When we start devcpp.exe in windows, we can see that it will try to start process C:\Program Files (x86)\Embarcadero\Dev-cpp\TDM-GCC-64\bin\gcc.exe with CreateProcessW
This vuln occured because the developer misuse CreateProcess API. We can find it by the call stack.
An attacker which have write permission of C:\ can place binary named C:\Program.exe. And it will be executed when embarcadero dev-cpp started.
Proof of Concept
Poc Vedio