Untrusted Search Path in ventoy/ventoy

Valid

Reported on

Mar 8th 2022


Description

A current working directory type of DLL hijacking vulnerability is found in all executbales in ventoy-1.0.70-windows.zip, including:

  1. Ventoy2Disk.exe
  2. VentoyPlugson.exe
  3. VentoyVlnk.exe

Proof of Concept

Step 1 : Craft a malicious x86 dll named as "TextShaping.dll" and place in the same directory of the executable

Step 2: Double click the executable

The malicious dll should have been loaded and a cmd shell with admin privilege will be prompted since those executables required admin privilege by design. (*cmd shell can be obtained is due to the payload the execute cmd in malicious DLL)

Impact

This vulnerability is capable of letting attacker to do arbitrary code execution and even privilege escalation.

We are processing your report and will contact the ventoy team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the ventoy team and are waiting to hear back 3 months ago
We have sent a follow up to the ventoy team. We will try again in 7 days. 2 months ago
longpanda
2 months ago

Maintainer


Thanks for the report. I'm not good at windows programming, how to fix such problem?

James Yeung
2 months ago

Researcher


Desktop applications can control the location from which a DLL is loaded by specifying a full path, using DLL redirection, or by using a manifest. If none of these methods are used, the system searches for the DLL at load time as described in this section.

https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection https://docs.microsoft.com/en-us/windows/win32/sbscs/manifests

We have sent a second follow up to the ventoy team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the ventoy team. This report is now considered stale. 2 months ago
longpanda validated this vulnerability 2 months ago
James Yeung has been awarded the disclosure bounty
The fix bounty is now up for grabs
longpanda
2 months ago

Maintainer


Can you give a TextShaping.dll for test?

James Yeung
2 months ago

Researcher


https://github.com/jfmaes/CMDLL

You may compile a x86 DLL and name it (it will spawn a cmd.exe as PoC), let me know if you cant do it and I can share you the dll via email.

longpanda
2 months ago

Maintainer


OK. I got the dll.

longpanda
2 months ago

Maintainer


Please test with this CI release: https://github.com/ventoy/Ventoy/actions/runs/2095286739

James Yeung
2 months ago

Researcher


@maintainer, the issue has been fixed. Thanks!

We have sent a fix follow up to the ventoy team. We will try again in 7 days. 2 months ago
longpanda
2 months ago

Maintainer


The latest Ventoy 1.0.73 release has fixed it. https://github.com/ventoy/Ventoy/releases/tag/v1.0.73

Jamie Slome
2 months ago

Admin


@ventoy - are you able to mark as fixed using the drop-down below?

We have sent a second fix follow up to the ventoy team. We will try again in 10 days. a month ago
We have sent a third and final fix follow up to the ventoy team. This report is now considered stale. a month ago
longpanda confirmed that a fix has been merged on dcc588 a month ago
longpanda has been awarded the fix bounty
to join this conversation