- Sep 5, 2017
Malwarebytes has released AdwCleaner 8.0.1 and in addition to various improvements to the tool's scanning engine, it also fixes a DLL hijacking vulnerability.
The AdwCleaner malware and adware cleaning program has had a DLL Hijacking vulnerability in versions older than 8.0.1, which was released yesterday.
For those not familiar with a DLL hijack vulnerability, it is important to give a little background on how DLLs are loaded by programs.
When a program starts it will load various DLLs that it needs to operate. If the developer did not specify the path to the DLL, the program will attempt to load the DLL from the current directory, and if it does not exist, it will check other folders in the user's path.
This allows an attacker or malware to create a malicious DLL with the same name as one that AdwCleaner normally loads. This malicious DLL is then stored an accessible folder in your path.
When AdwCleaner is launched it will attempt to load the required DLLs, including the malicious DLL. As AdwCleaner runs with Administrative privileges, this means that the malicious DLL will be executed with elevated privileges and can run malicious commands as an administrator.
Below you can see an example of the DLL Hijacking vulnerability being exploited using the Sentinel Vulnerability and Exploit Detector tool.
AdwCleaner DLL Hijacking
This vulnerability was discovered by Günter Born who disclosed it to Malwarebytes on December 10th, 2019.
Jérôme B, the developer of AdwCleaner, told BleepingComputer that this vulnerability was fixed by enforcing the loading paths to the DLLs.
"Yes, we didn't properly enforce the loading path for DLLs, so unprivileged users could add a specially crafted one and get privesc."
Other changes in AdwCleaner 8.0.1
While the DLL Hijacking vulnerability fix is definitely welcome, it is not the only improvement in this version.
With this release, AdwCleaner 8.0.1 once again has a Firefox cleaning module that can be used to scan for and remove malicious Firefox extensions, search engines, start pages, and preferences.
The full changelog for AdwCleaner 8.0.1 can be read below:
- Re-Implement Firefox module. It now properly support detecting and removing extensions, startpage, sear chengines, preferences...
- Hide debug output
- Update telemetry internals.
- Update definitions to 2019.12.17.1
- Fix a DLL Hijacking vulnerability in AdwCleaner 7.0+, reported by Günter Born