Untrusted Search Path in ventoy/ventoy
Mar 8th 2022
A current working directory type of DLL hijacking vulnerability is found in all executbales in ventoy-1.0.70-windows.zip, including:
Proof of Concept
Step 1 : Craft a malicious x86 dll named as "TextShaping.dll" and place in the same directory of the executable
Step 2: Double click the executable
The malicious dll should have been loaded and a cmd shell with admin privilege will be prompted since those executables required admin privilege by design. (*cmd shell can be obtained is due to the payload the execute cmd in malicious DLL)
This vulnerability is capable of letting attacker to do arbitrary code execution and even privilege escalation.