"Dashlane - DLL Hijacking"

Author

Exploit author

SecuriTeam

Platform

Exploit platform

windows

Release date

Exploit published date

2017-08-03

                
                         Download file
                    
## Vulnerability Summary
The following advisory describes a DLL Hijacking vulnerability found in Dashlane.

Dashlane is “a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The app’s premium feature enables users to securely sync their data between an unlimited number of devices on all platforms.”

## Credit
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

## Vendor response
We have informed Dashlane of the vulnerability, their answer was: “Since there are many ways to load DLLs/code in a process under Windows, we are currently rewriting part of the installer to install in Program Files (we use %appdata% for the non admin users like many other applications), and you can already replace DLLl/exe if you are privileged to write in the user %appdata%/…/dashlane directory, we won’t change the current way of loading DLLs in the short term.”

At this time there is no solution or workaround for this vulnerability.

CVE: CVE-2017-11657

## Vulnerability details
When Dashlane starts on a Windows machine it tries to load a DLL (WINHTTP.dll) from the C:\Users\user\AppData\Roaming\Dashlane\ directory, if a malicious attacker puts the DLL in that directory Dashlane will load it and run the code found in it – without giving the user any warning of it.

This happens because:

Dashlane does not provide the file WINHTTP.dll.
Writing in %appdata% doesn’t require any special privileges, the file called WINHTTP.dll can be placed in the path C:\Users\user\AppData\Roaming\Dashlane\.
Since Dashlane can require admin privileges, an attacker can place the nwinhttp.dll and cause script/command execution as the current user (usually admin).

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2018-10-04	"Cisco Prime Infrastructure - Unauthenticated Remote Code Execution"	remote	multiple	SecuriTeam
2018-04-30	"Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free"	dos	linux	SecuriTeam
2018-01-30	"Hotspot Shield - Information Disclosure"	local	windows	SecuriTeam
2018-01-29	"iBall WRA150N - Multiple Vulnerabilities"	webapps	hardware	SecuriTeam
2018-01-24	"Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape"	local	multiple	SecuriTeam
2018-01-15	"GitStack - Remote Code Execution"	webapps	php	SecuriTeam
2018-01-11	"Seagate Personal Cloud - Multiple Vulnerabilities"	remote	hardware	SecuriTeam
2017-12-26	"Trustwave SWG 11.8.0.27 - SSH Unauthorized Access"	remote	linux	SecuriTeam
2017-12-19	"Ichano AtHome IP Cameras - Multiple Vulnerabilities"	remote	hardware	SecuriTeam
2017-12-13	"vBulletin 5 - 'cacheTemplates' Remote Arbitrary File Deletion"	webapps	multiple	SecuriTeam
2017-12-13	"vBulletin 5 - 'routestring' Remote Code Execution"	webapps	multiple	SecuriTeam
2017-12-06	"Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Remote Code Execution"	webapps	hardware	SecuriTeam
2017-11-28	"Synology StorageManager 5.2 - Root Remote Command Execution"	webapps	cgi	SecuriTeam
2017-11-23	"Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation"	local	linux	SecuriTeam
2017-11-21	"DblTek - Multiple Vulnerabilities"	webapps	linux	SecuriTeam
2017-11-07	"Ametys CMS 4.0.2 - Password Reset"	webapps	php	SecuriTeam
2017-11-03	"GraphicsMagick - Memory Disclosure / Heap Overflow"	dos	multiple	SecuriTeam
2017-11-01	"Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution"	remote	linux	SecuriTeam
2017-10-23	"K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read"	dos	windows	SecuriTeam
2017-10-17	"Linux Kernel - 'AF_PACKET' Use-After-Free"	dos	linux	SecuriTeam
2017-10-17	"Linux Kernel - 'AF_PACKET' Use-After-Free"	dos	linux	SecuriTeam
2017-10-16	"Ikraus Anti Virus 2.16.7 - Remote Code Execution"	remote	windows	SecuriTeam
2017-10-13	"FiberHome - Directory Traversal"	webapps	linux	SecuriTeam
2017-10-09	"PHP Melody 2.7.3 - Multiple Vulnerabilities"	webapps	php	SecuriTeam
2017-10-09	"QNAP HelpDesk < 1.1.12 - SQL Injection"	webapps	php	SecuriTeam
2017-09-11	"Hanbanggaoke IP Camera - Arbitrary Password Change"	webapps	hardware	SecuriTeam
2017-09-07	"McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution"	webapps	hardware	SecuriTeam
2017-08-30	"Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service"	dos	php	SecuriTeam
2017-08-03	"Dashlane - DLL Hijacking"	local	windows	SecuriTeam
2017-08-03	"Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure"	webapps	hardware	SecuriTeam

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Dashlane - DLL Hijacking"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.