Yaniv Azran and Idan Malihi, security researchers at CyFox XDR discovered a dll planting vulnerability in Stremio 4.4, the versatile software platform for streaming movies and TV shows. With more than 5 million users, the vulnerability is significant. DLL hijacking allows attackers to execute arbitrary code with the privileges of the targeted application or escalate their privileges on the system. The vulnerability can lead to remote code execution, privilege escalation, information theft, and system compromise. Attackers could exploit the vulnerability to gain unauthorized access, steal sensitive data, and potentially compromise the entire system or network.
Stremio is a versatile software platform that offers users an all-in-one solution for streaming and organizing their favorite movies, TV shows, and video content. Functioning as a centralized hub, it seamlessly grants access to an array of media sources, including well-known streaming services such as Netflix, Amazon Prime Video, and others.
Stremio’s ability to effortlessly unify browsing, searching, and content discovery across multiple platforms within a single interface sets it apart. It excels in aggregating content from multiple sources into a personalized library. Users can create collections and playlists for quick access to their favorite movies and TV shows. Moreover, its recommendation system analyzes viewing history and preferences to suggest new and captivating titles, enriching the discovery experience.
Furthermore, Stremio ensures a smooth and reliable streaming experience with high-quality playback across various devices, such as computers, smartphones, tablets, and smart TVs. Its user-friendly interface and intuitive navigation simplify the streaming process, offering a conventional all-in-one solution for enjoying favorite entertainment content from multiple sources.
Explanation of DLL files
DLL stands for Dynamic Link Library, a file format with functions, data, and resources that can be dynamically linked and shared by multiple programs concurrently. DLL files are Crucial to Windows and many applications, DLL files enable a modular approach to software development and encourage code reuse.
DLLs have multiple purposes in WindowsOS. They house standard functions shared by various applications, preventing code duplication and reducing executable file size. Moreover, DLLs grant access to system resources like device divers, graphics processing, and networking. This modular approach optimizes memory management by loading DLLs into memory when necessary, minimizing the memory footprint of running applications.
DLLs serve various purposes in the Windows OS.
Explanation of LoadLibraryA function
The LoadLibraryA function in the Windows API lets developers load a DLL into a program’s memory at runtime. The “A” denotes its use of ANSI character strings. By providing the DLL’s file name or path as a parameter, the function searches for and loads the DLL into the calling process’s memory space. It returns a handle to the loaded DLL, granting access to its exported functions, data, and resources.
Explanation of LoadLibraryExA function
The LoadLibraryExA function is an extended version of the LoadLibraryA in the Windows API, using ANSI character strings. It offers additional options and flags for advanced loading scenarios, letting developers control the DLL’s loading behavior.
The LoadLibraryExA function offers increased flexibility and customization for loading DLLs. Developers can fine-tune the process, specify loading flags for specific requirements, and control DLL file search behavior. This is particularly valuable in complex scenarios or when accessing DLLs with specific purposes beyond standard executable modules.
Differences between LoadLibraryA and LoadLibraryExA
LoadLibraryA and LoadLibraryExA, both in the Windows API, load DLLs into a program’s memory during runtime. Yet, they differ in significant ways:
Explanation of Application Directory (App Dir) DLL planting
The application directory houses an application’s non-system DLLs, which are presumed trustworthy and protected by directory ACL (Access Control Lists) security control. Files in the installation directory are considered reliable as they are part of the application’s code-related artifacts.
A malicious actor can program a dll file with ransomware and do an internal defacement to the entire network.
The Stremio’s installation location is: “C:\Users\%username%\AppData\Local\Programs\LNV\Stremio-4”
Administrative access is not necessary to modify anything within this directory. However, if a regular user without admin permission is deceived or socially engineered to place DLLs in an untrusted location, the situation becomes concerning, as they could also be manipulated to perform more harmful actions.
Steps to reproduce
We utilized Microsoft’s Sysinternals tool, Procmon.exe, to monitor the software’s execution flow. Capturing all processes running on Windows when launching Stremio, we applied the following filters:
We observed three paths from which Stremio retrieves DLL files:
We refrained from tampering with the original Windows paths, such as System32 and SysWOW64. Instead, we meticulously inspected each DLL file the program acquired from the LNV\Stremio-4 path, as it does not require elevated permissions.
After conducting thorough research on the DLL files, the program attempts to call but doesn’t find, we discovered four vulnerable DLL files:
As researchers, we leveraged msfvenom to produce a malicious .dll file, enabling us to attain a reverse shell on the remote target.
Once the malicious .dll file was successfully transferred to the remote target, we renamed it to UMPDC.dll and placed it inside the directory: C:\Users\%username%\Local\Programs\LNV\Stremio-4\ path.
Upon running the program, we successfully obtained a reverse shell.
What can attackers do in this DLL Hijacking vulnerability in Stremio
DLL hijacking vulnerabilities present a significant risk, as they enable attackers to execute arbitrary code with the privileges of the targeted application or even escalate their privileges on the system. Below are a few examples of what attackers can achieve through DLL hijacking: