{"id":1768,"date":"2025-02-05T10:03:35","date_gmt":"2025-02-05T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/02\/05\/0-day-vulnerabilities-in-microsoft-sysinternals-tools-allow-attackers-to-launch-dll-injection-attacks-on-windows\/"},"modified":"2025-02-05T10:03:35","modified_gmt":"2025-02-05T10:03:35","slug":"0-day-vulnerabilities-in-microsoft-sysinternals-tools-allow-attackers-to-launch-dll-injection-attacks-on-windows","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/02\/05\/0-day-vulnerabilities-in-microsoft-sysinternals-tools-allow-attackers-to-launch-dll-injection-attacks-on-windows\/","title":{"rendered":"0-Day Vulnerabilities in Microsoft Sysinternals Tools\u00a0Allow Attackers To Launch DLL Injection Attacks on Windows"},"content":{"rendered":"<p>    0-Day Vulnerabilities in Microsoft Sysinternals Tools\u00a0Allow Attackers To Launch DLL Injection Attacks on Windows<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, presenting a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.<\/p>\n<p>This vulnerability, outlining how attackers can exploit <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/001\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">DLL injection techniques<\/a> to execute malicious code, has been meticulously researched, verified, and demonstrated in a detailed video presentation. <\/p>\n<p>Despite disclosure to Microsoft over 90 days ago, the vulnerability remains unresolved.<\/p>\n<p>The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems. Popular tools in the collection include <strong>Process Explorer<\/strong>, <strong>Autoruns<\/strong>, and <strong>Bginfo<\/strong>.<\/p>\n<p>While these tools are indispensable for IT administration and <a href=\"https:\/\/cybersecuritynews.com\/malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">malware analysis<\/a>, their lack of integration with the Windows Update system poses a unique challenge. <\/p>\n<p>Security patches and updates for the tools must be manually managed by administrators, leaving room for potential risks when vulnerabilities arise.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Vulnerability Details: DLL Injection Exploit<\/strong><\/h2>\n<p>The discovered vulnerability stems from how Sysinternals tools load DLL files. Specifically, many of these applications prioritize untrusted paths\u2014such as the current working directory (CWD) or network paths over secure system directories when loading DLLs. <\/p>\n<p>This oversight allows attackers to replace legitimate DLLs with malicious ones, enabling the execution of arbitrary code.<\/p>\n<p>The mechanics of the attack are relatively straightforward:<\/p>\n<ol class=\"wp-block-list\">\n<li>The attacker crafts a malicious DLL, such as <code>cryptbase.dll<\/code> or <code>TextShaping.dll<\/code>, embedding harmful payloads.<\/li>\n<li>The malicious DLL is placed in the same directory as the legitimate Sysinternals executable (e.g., <code>Bginfo.exe<\/code>).<\/li>\n<li>When the user executes the application from this directory, the malicious DLL is loaded instead of the trusted system DLL.<\/li>\n<li>The attacker\u2019s code executes under the user\u2019s privileges, potentially leading to full system compromise.<\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\"><strong>Real-World Example: Trojan Deployment via Bginfo<\/strong><\/h2>\n<p>The vulnerability\u2019s practical impact was demonstrated using the Bginfo tool, a utility frequently deployed in enterprise environments to display system information on user desktops. <\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"youtube-embed\" data-video_id=\"Hg81N0HAgCg\"><iframe loading=\"lazy\" title=\"\ud83d\udea8 Zero-Day-Schwachstelle in den Microsoft Sysinternals-Tools! \ud83d\udea8 (#020)\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/Hg81N0HAgCg?feature=oembed&amp;enablejsapi=1\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<\/div>\n<\/figure>\n<p>In a simulated attack scenario, an attacker places a malicious DLL file in the same network directory as the legitimate <code>Bginfo.exe<\/code>. <\/p>\n<p>During system boot, a startup script executes the <code>Bginfo<\/code> tool directly from this shared network location. <\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlUGWVpg2dMJX0M-M1jtrmySNXqqQP4yns-skZeoKdlKI-J-1wrw5ZXRtjz4oQjMG3LZgg8mntLDLq8BHjIle_buUJ1YxNA7QuK2SigyvQPj6fHRGFc1Hj0-Ov0Jjwukq2d_y9pPHLAcpCG-hEMV80-LQv6xgon98JWjqPhOEJnnlsdqLuJPP7QreGOC0R\/s16000\/Screenshot-27.01.2025-um-17.52.10-PM.png?ssl=1\" alt=\"\"><\/figure>\n<p>As a result, the tool inadvertently loads the malicious DLL instead of the trusted one, enabling the automatic deployment of a Trojan or other malware across multiple client systems. <\/p>\n<p>\u201cHowever, if the network path is provided with a prepared DLL, each client can be automatically compromised during the startup process. In this case, the Bginfo tool is loaded from the network drive and the Meterpreter is loaded and started from the DLL\u201d Research <strong><a href=\"https:\/\/www.foto-video-it.de\/2025\/allgemein\/disclosure-sysinternals\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">stated<\/a><\/strong> in his technical writeup.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhPrkwQyzG_ZJ0qeaOnv2GzXrTFmabiyDe0S8Rf_qdWaFjdJkRDW8xS3TTcGYEWso6qZdxJCLY8rZ4V-kJaErXzeL5QWiHt3DABXZUCznLJDBy5EIazpQirDDl1u4bdxL9CAUCsYPyeLuo-35QqY07xai3mfUAUCcMJ3-Ji8T5sP253PKrmX-Uv-g6Hr9Is\/s16000\/SYSTOOLS.png?ssl=1\" alt=\"\"><\/figure>\n<p>This example underscores the severe risk posed by this vulnerability, particularly in environments that rely on executing Sysinternals tools from network-based paths.<\/p>\n<p>The vulnerability affects a wide range of Sysinternals applications, including but not limited to:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Process Explorer<\/strong> (<code>procexp.exe<\/code>, <code>procexp64.exe<\/code>)<\/li>\n<li>\n<strong>Autoruns<\/strong> (<code>autoruns.exe<\/code>, <code>autoruns64.exe<\/code>)<\/li>\n<li>\n<strong>Bginfo<\/strong> (<code>bginfo.exe<\/code>, <code>bginfo64.exe<\/code>)<\/li>\n<\/ul>\n<p>A comprehensive list of vulnerable tools is available in an associated test sheet provided by the researcher.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Communication with Microsoft and Unresolved Status<\/strong><\/h2>\n<p>The vulnerability was responsibly disclosed to Microsoft on October 28, 2024, following standard industry practices. However, Microsoft classified the issue as a \u201cdefense-in-depth\u201d enhancement rather than a critical vulnerability. <\/p>\n<p>This classification implies that the problem is addressed within the application\u2019s secure usage best practices and not as a fundamental security flaw.<\/p>\n<p>Microsoft\u2019s view focuses on executable files being run from local program directories, whereas the researcher highlights the dangers of using network drives, where the network location acts as the CWD for the application. <\/p>\n<p>The researcher has pointed out inconsistencies in Microsoft\u2019s stance based on their own guidelines for handling DLL vulnerabilities.<\/p>\n<p>As of the latest Sysinternals blog update from December 2024, the vulnerability remains unpatched, leaving users reliant on workarounds to mitigate risks.<\/p>\n<p>Until Microsoft addresses this vulnerability, administrators and users can take several precautionary steps to reduce exposure to these attacks:<\/p>\n<ol class=\"wp-block-list\">\n<li>\n<strong>Avoid Running Tools from Network Locations<\/strong>: Always copy Sysinternals executables to local paths before execution.<\/li>\n<li>\n<strong>Verify DLL Integrity<\/strong>: Employ security solutions to load only trusted DLLs.<\/li>\n<li>\n<strong>Audit Your Environment<\/strong>: Use the provided test sheet to identify tools vulnerable to DLL injection and take the necessary safeguards.<\/li>\n<\/ol>\n<p>Sysinternals tools are commonly used for malware analysis. Tools like <strong>Process Explorer<\/strong> help identify potentially malicious DLLs loaded by applications. However, the irony lies in that Sysinternals tools are vulnerable to DLL injection, raising questions about their overall security and robustness.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(135deg,rgb(238,238,238) 100%,rgb(169,184,195) 100%)\"><strong><code>Investigate Real-World Malicious Links &amp; Phishing Attacks With\u00a0<strong>Threat Intelligence Lookup<\/strong>\u00a0-\u00a0<a href=\"https:\/\/intelligence.any.run\/plans?utm_source=csn_feb&amp;utm_medium=article&amp;utm_campaign=3soc-challenges&amp;utm_content=plans&amp;utm_term=040225\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Try for Free<\/a><\/code><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/0-day-vulnerabilities-in-microsoft-sysinternals-tools\/\">0-Day Vulnerabilities in Microsoft Sysinternals Tools\u00a0Allow Attackers To Launch DLL Injection Attacks on Windows<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Balaji N<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/0-day-vulnerabilities-in-microsoft-sysinternals-tools\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>0-Day Vulnerabilities in Microsoft Sysinternals Tools\u00a0Allow Attackers To Launch DLL Injection Attacks on Windows A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, presenting a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting. This vulnerability, outlining how attackers can exploit DLL injection [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,395],"tags":[130],"class_list":["post-1768","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-windows","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1768"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=1768"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1768\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=1768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=1768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=1768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}