VMWare Horizon View Client <= 5.4 DLL Hijacking

During one of the pentest assignment i had to perform security assessment for VMWare Horizon View Client, since it’s native windows application the attack vectors are different than normal web apps. I started looking at the memory then traffic then registries found nothing, i was at a total loss…. Fortunately since it’s a native application it must require some dlls, so there are pretty good chances that developers might forgot to explicitly call dlls via complete path, what does that mean ? So lets say an application requires abc.dll and it just calls it by referring call abc.dll windows will look for abc.dll in following order:-

  • The directory from which the application loaded.
  • System directory (C:\Windows\Syswow64).
  • System directory (C:\Windows\System32).
  • The 16-bit system directory (C:\Windows\System).
  • The Windows directory (C:\Windows).
  • The Current Directory.
  • Directories that are listed in the PATH variables.

I fired up process minitor with following rules:-

Next i started the application to see which dlls are missing.

So As we can see that Trutil.dll is required by the application and it’s clearly missing

Once the application is launched we will get reverse shell….sweet!!!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *