[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Evernote for Windows DLL Loading Remote Code Execution Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Evernote for Windows DLL Loading Remote Code Execution Vulnerability
From: mehta.himanshu21@xxxxxxxxx
Date: Fri, 14 Oct 2016 12:28:34 GMT

Aloha,

Summary
Evernote contains a DLL hijacking vulnerability that could allow an 
unauthenticated, remote attacker to execute arbitrary code on the targeted 
system. The vulnerability exists due to some DLL file is loaded by 
'Evernote_6.1.2.2292.exe' improperly. And it allows an attacker to load this 
DLL file of the attacker?s choosing that could execute arbitrary code without 
the user's knowledge.

Affected Product:
Evernote 6.1.2.2292

Fixed in: Evernote for Windows 6.3 
WINNOTE-15637 https://evernote.com/security/updates/

Tested on: Windows 7

Impact
Attacker can exploit this vulnerability to load a DLL file of the attacker's 
choosing that could execute arbitrary code. This may help attacker to 
Successful exploit the system if user creates shell as a DLL.

Vulnerability Scoring Details
The vulnerability classification has been performed by using the CVSSv2 scoring 
system (http://www.first.org/cvss/).
Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Create a malicious 'dwmapi.dll' or 'ntmarta.dll' file and save it in your 
"Downloads" directory.

2. Download 'Evernote_6.1.2.2292.exe' from and save it in your "Downloads" 
directory.

3. Execute .exe from your "Downloads" directory.

4. Malicious dll file gets executed.

Chao!!
Himanshu Mehta

Prev by Date: [security bulletin] HPSBNS03661 rev.1 - NonStop Backbox, Remote Disclosure of Information
Next by Date: [SECURITY] [DSA 3693-1] libgd2 security update
Previous by thread: [security bulletin] HPSBNS03661 rev.1 - NonStop Backbox, Remote Disclosure of Information
Next by thread: [SECURITY] [DSA 3693-1] libgd2 security update
Index(es):
- Date
- Thread