CVE-2023-47113: DLL Search Order Hijacking vulnerability in BleachBit for Windows

Impact

BleachBit for Windows up to Version 4.4.2 is vulnerable to a DLL Hijacking vulnerability (CWE-427).
By placing a DLL in the Folder c:\DLLs, an attacker can run arbitrary code on every execution of BleachBit for Windows. This affects both bleachbit.exe and bleachbit_console.exe

The impact varies depending on the scenario.
Privilege Escalation: In normal operation, BleachBit uses UAC to run in an elevated context. This means,
that malware running in an non elevated user context can place the payload and wait till a user runs
BleachBit. Once the Users runs BleachBit in an elevated context (which is default), the malicious payload
also gets executed elevated.

Persistence: Malware can use the vulnerability as a method of persistence. Every time a user executes
BleachBit, the malicious payload will be executed.

Evasion: Execute malicious payload through the process of a legitimate executable bleachbit.exe or
bleachbit_console.exe

Spreading: On a multi-user system, compromised User A will create the malicious DLL. Once user B
executes BleachBit, the payload will be triggered.

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

As an Administrator, create the directory c:\DLLs with permissions that prevent regular (non elevated) users from creating files. This can prevent a user or malware running in its context from creating the corresponding DLL.

Upgrade to BleachBit version 4.6.0 (final) which has a workaround to refuse to start if DLL hijacking is detected.

Upgrade to BleachBit 4.4.2.2467 (alpha) which has a proper fix because it is based on Python 3.10 instead of Python 3.4