Xshell5 5.0 Build 1124 DLL Hijacking
Posted on 18 February 2017
[+] Title: Xshell5 - "api-ms-win-appmodel-runtime-l1-1-0" DLL Loading Arbitrary Code Execution. [+] Credits / Discovery: Nassim Asrir [+] Author Email: wassline@gmail.com [+] Author Company: Henceforth Vendor: =============== https://www.netsarang.com/ Product Version: =============== 5.0 Build 1124 Download: =========== https://www.netsarang.com/xshell_download.html About Product: =============== Xshell is a powerful terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL. It delivers industry leading performance and feature sets that are not available in its free alternatives. Features that enterprise users will find useful include a tabbed environment, dynamic port forwarding, custom key mapping, user defined buttons, VB scripting, and UNICODE terminal for displaying 2 byte characters and international language support. Vulnerability Type: ====================================== DLL Loading Arbitrary Code Execution. CVE Reference: =============== N/A Tested on: =============== Windows 7 - Winxp Exploit/POC: ============ The Setup Launcher for Xshell5 is vulnerable to DLL Arbitrary Code Execution. 1) Download the DLL from: https://mega.nz/#!OYQwxJSJ!Uwaq5N1_1hWlFtPQDgCgKRF2A9kiJvF3g6FmbZ1vM7s. 2) Then copy the DLL to the Xshell5 setup directory. 3) Launch the Setup Launcher then the command "calc" execute, and DONE. Network Access: =============== Remote - Local Impact: ================= An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.