Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

You don't get the worst part: unsuccessful exploitation also leads to
code execution.
Scary stuff.

On 09/02/2011 05:05 PM, Mario Vilas wrote:
Are you guys seriously reporting that double clicking on a malicious .vbs
file could lead to remote code execution? :P

Either I'm missing something (and I'd welcome a rebuttal here!) or you might
as well add .exe to that list. All those extensions are already executable.

On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs <cybseclabs@xxxxxxxxxx> wrote:

Advisory Name: Windows Script Host DLL Hijacking

Internal Cybsec Advisory Id:
2011-0901-Windows Script Host DLL Hijacking

Vulnerability Class:
Remote Command Execution Vulnerability

Release Date:
September 2, 2011

Affected Applications:
Windows Script Host v5.6; other versions may also be affected

Affected Platforms:
Any running Windows Script Host v5.6

Local / Remote:
Remote / Local

High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Juan Manuel Garcia

Vendor Status:

Reference to Vulnerability Disclosure Policy

Vulnerability Description:

DLL Hijacking takes advantage of the way an application dynamically

loads dll libraries without specifying a fully qualified path. This is

usually done invoking the LoadLibrary and LoadLibraryEx functions to

dynamically load DLLs.

In order to exploit this vulnerability a user must open a file with an

extension associated to the vulnerable application. A malicious dll,

named exactly as a dll the apllications loads using the vulnerable

function, must be placed in the same directory as the opened file.

The application will then load the malicious dll instead of the

original, thus executing the malicious code.

The following application loads external libraries following an
insufficiently qualified path.

Application: wscript.exe

Extensions: js, jse, vbe, vbs, wsf, wsh

Library: wshesn.dll


Option 1 - Using the “msfpayload” Metasploit module as shown below:

msfpayload windows/exec CMD=calc.exe D > exploit.dll

Option 2 - Using the “webdav_dll_hijacker” Metasploit module.


A successful exploit of this vulnerability leads to arbitrary code

Vendor Response:

2011/08/09 – Vulnerability was identified.

2011/08/19 – Cybsec sent detailed information on the issue and a Proof of

2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on
ongoing investigations”.

2011/08/19 – Vendor was informed that the security advisory would be
published after 15 days.

2011/09/02 – Vulnerability was released.

Contact Information:

For more information regarding the vulnerability feel free to contact the
researcher at

jmgarcia <at> cybsec <dot> com

About CYBSEC S.A. Security Systems

Since 1996,
CYBSEC is engaged exclusively in rendering professional services
specialized in

Information Security. Their area of services covers Latin America, Spain
and over 250 customers are a

proof of their professional life.

To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is
associated with other

software and/or hardware provider companies.

Our services are strictly focused on Information Security, protecting our
clients from emerging security

threats, maintaining their IT deployments available, safe, and reliable.

Beyond professional services, CYBSEC is continuously researching new
defense and attack techniques

and contributing with the security community with high quality information

For more information, please visit

(c) 2011 - CYBSEC S.A. Security Systems

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages