i Dll Hijacking with WPF applications on Windows 10 – All things in moderation

Dll Hijacking with WPF applications on Windows 10

Hi everyone. In the time of Covid-19, we have nothing to do but research and self growth. After thinking for a while, we think finding software vulnerabilities that could take us a lot of time so we do that. But it’s really a kind of interesting if you like it.

We are going to start with some old techniques and let’s see it gonna do.

What is Dll Hijacking?

When we start an application in Windows environments, our system looks for its DLL and load them. However if these DLL’s don’t exist or are run in an insecure way (without using a fully qualified path) then we could escalate privileges by force the application to load and execute a malicious DLL file.

We should be noted that when an application needs to load a DLL it will go through the following order:

The application is loaded in order:

C:\Windows\System32
C:\Windows\System
C:\Windows
The current working directory
Directories in the system PATH environment variable
Directories in the user PATH environment variable

WPF Applications

Windows Presentation Foundation (WPF) is a UI framework that creates desktop client applications. The WPF development platform supports a broad set of application development features, including an application model, resources, controls, graphics, layout, data binding, documents, and security. The framework is part of .NET, so if you have previously built applications with .NET using ASP.NET or Windows Forms, the programming experience should be familiar. WPF uses the Extensible Application Markup Language (XAML) to provide a declarative model for application programming ( From Microsoft . :D)

It means we have the wide range of attacks if we could exploit this application.

Scenario

  1. Using Microsoft Windows 10
  2. Using Intel CPU and have installed Intel® Graphics – Windows® 10 DCH Drivers. This driver is auto-install in Windows 10 (1709), (1803), (1809) and newer versions.

Our tested OS: Windows 10-64 Professional Build 18363 lasted update (December 2019)
Intel Graphic Driver: 26.20.100.7262

Last tested time: 4:47 AM, 6 May 2020
CPU: Intel i5-7400
Version tested: Intel(R) HD Graphics 630 Driver Version 26.20.100.7262

Analysis

When I was monitoring another target with Procmon.exe, I found a dll file named igdgmm32.dll was being called by many application but almost was not found.

wpf_exploit

After a while searching that name, I found that igdgmm32.dll is a part of of OpenCL™ Runtimes for Intel® Processors in Intel® Graphics – Windows® 10 DCH Drivers.

Open stack view in ProcMon.exe, it seems like igdgmm32.dll is loaded because of function WgxConnection_Create in wpfgfx_v0400.dll uses graphic libraries.

wpf_exploit

wpfgfx_v0400.dll is a part of Windows Presentation Foundation (WPF), a graphical subsystem uses graphic libraries to render graphic interface, and and in my case, Intel i5 7400 GPU, those libraries are belong to Intel® Graphics – Windows® 10 DCH Drivers.

Intel® Graphics – Windows® 10 DCH Drivers does not use C:\Windows\system32 folder like previous versions but C:\Windows\system32\DriverStore, while %User_Profile%\AppData\Local\Microsoft\WindowsApps is added by default, and this leads to idgdmm32.dll is found in WindowsApps before in DriverStore.

Now, all I need to do is making a payload Dll looks like igdgmm32.dll in WindowsApps folder to exploit any WPF applications.

Download link Git: https://github.com/hydrasky-team/dll_hijacking_wpf_app

Until now, that vulnerability is unfixed when I write this article.

PoC Video

 

Leave a Reply