In a major security concern, researchers from CyFox have unearthed a DLL planting/hijacking vulnerability in the widely used media center application, Stremio. The flaw opens the door for attackers to execute malicious code on the victim’s system, steal sensitive data, and potentially escalate their privileges on the affected system. DLLs play a critical role in Windows and various applications, including Stremio, by allowing shared functions and resource access.
However, this modular approach also introduces risks, and in the case of Stremio for Windows v4.4, attackers can exploit the use of two Windows API functions to plant malicious DLLs in the application directory, leading to unauthorized access and control.
The four vulnerable DLL files identified are SspiCli.dll, RTWorkQ.dll, profapi.dll, and UMPDC.dll. Using Msfvenom, the researchers created a malicious .dll file capable of creating a reverse shell, allowing them to infiltrate the remote target.
Once transferred to the Stremio directory, this malicious file (renamed to UMPDC.dll) gains unauthorized access whenever the system is powered on, with escalated privileges if the user runs Stremio with administrator rights. These findings underscore the significance of DLL hijacking vulnerabilities, enabling attackers to execute arbitrary code with targeted application privileges or even escalate their access on the system.
CyFox emphasizes the risk posed by unauthorized access to a victim’s system, enabling attackers to plant the malicious DLL file in the software’s path and wait for the user to run the vulnerable Stremio software. The lack of response from the Stremio security team after multiple attempts to communicate the vulnerability means the vendor has not released a security update to address the issue.
The 90-day period since the first communication from CyFox has prompted the publication of their findings, raising awareness of the DLL planting/hijacking risk and urging Stremio users to be vigilant and adopt necessary security measures to safeguard their systems from potential attacks.