Idan Malihi

Security Researcher

Stremio 4.4: Application Directory DLL Planting

Yaniv Azran and Idan Malihi, security researchers at CyFox XDR, discovered a dll planting vulnerability in Stremio 4.4, the versatile software platform for streaming movies and TV shows. With more than 5 million users, the vulnerability is significant. DLL hijacking allows attackers to execute arbitrary code with the privileges of the targeted application or escalate their privileges on the system. The vulnerability can lead to remote code execution, privilege escalation, information theft, and system compromise. Attackers could exploit the vulnerability to gain unauthorized access, steal sensitive data, and potentially compromise the entire system or network.

About Stremio

Stremio is a versatile software platform that offers users an all-in-one solution for streaming and organizing their favorite movies, TV shows, and video content. Functioning as a centralized hub, it seamlessly grants access to an array of media sources, including well-known streaming services such as Netflix, Amazon Prime Video, and others.

Stremio’s ability to effortlessly unify browsing, searching, and content discovery across multiple platforms within a single interface sets it apart. It excels in aggregating content from multiple sources into a personalized library. Users can create collections and playlists for quick access to their favorite movies and TV shows. Moreover, its recommendation system analyzes viewing history and preferences to suggest new and captivating titles, enriching the discovery experience.

Furthermore, Stremio ensures a smooth and reliable streaming experience with high-quality playback across various devices, such as computers, smartphones, tablets, and smart TVs. Its user-friendly interface and intuitive navigation simplify the streaming process, offering a conventional all-in-one solution for enjoying favorite entertainment content from multiple sources.

Explanation of DLL files

DLL stands for Dynamic Link Library, a file format with functions, data, and resources that can be dynamically linked and shared by multiple programs concurrently. DLL files are Crucial to Windows and many applications. They enable a modular approach to software development and encourage code reuse.

DLLs have multiple purposes in WindowsOS. They house standard functions shared by various applications, preventing code duplication and reducing executable file size. Moreover, DLLs grant access to system resources like device divers, graphics processing, and networking. This modular approach optimizes memory management by loading DLLs into memory when necessary, minimizing the memory footprint of running applications.

DLLs serve various purposes in the Windows OS.

Explanation of LoadLibraryA function

The LoadLibraryA function in the Windows API lets developers load a DLL into a program’s memory at runtime. The “A” denotes its use of ANSI character strings. By providing the DLL’s file name or path as a parameter, the function searches for and loads the DLL into the calling process’s memory space. It returns a handle to the loaded DLL, granting access to its exported functions, data, and resources.

Explanation of LoadLibraryExA function

The LoadLibraryExA function is an extended version of the LoadLibraryA in the Windows API, using ANSI character strings. It offers additional options and flags for advanced loading scenarios, letting developers control the DLL’s loading behavior.

The LoadLibraryExA function offers increased flexibility and customization for loading DLLs. Developers can fine-tune the process, specify loading flags for specific requirements, and control DLL file search behavior. This is particularly valuable in complex scenarios or when accessing DLLs with specific purposes beyond standard executable modules.

Differences between LoadLibraryA and LoadLibraryExA

LoadLibraryA and LoadLibraryExA, both in the Windows API, load DLLs into a program’s memory during runtime. Yet, they differ in significant ways:

  • Flexibility and Control: LoadLibraryA is an essential function that loads DLLs with default options and search behavior. In contrast, LoadLibraryExA offers greater flexibility by enabling developers to customize the loading process with various flags.
     For example, you can load a DLL as a data file (LOAD_LIBRARY_AS_DATAFILE flag) or control the search behavior for DLL files using the LOAD_LIBRARY_SEARCH_* flags.

  • Search Behaviour: LoadLibraryA adheres to the standard DLL search order, encompassing the application directory and system directories. In contrast, LoadLibraryExA grants developers the ability to modify the search behavior. By specifying different flags, you can include different directories in the search order to execute specific ones, providing greater control over the DLL files you with to load.

Explanation of Application Directory (App Dir) DLL planting

The application directory houses an application’s non-system DLLs, which are presumed trustworthy and protected by directory ACL (Access Control Lists) security control. Files in the installation directory are considered reliable as they are part of the application’s code-related artifacts.

A malicious actor can program a dll file with ransomware and do an internal defacement to the entire network.

The Stremio’s installation location is: “C:\Users\%username%\AppData\Local\Programs\LNV\Stremio-4”

Administrative access is not necessary to modify anything within this directory. However, if a regular user without admin permission is deceived or socially engineered to place DLLs in an untrusted location, the situation becomes concerning, as they could also be manipulated to perform more harmful actions.

Steps to reproduce

We utilized Microsoft’s Sysinternals tool, Procmon.exe, to monitor the software’s execution flow. Capturing all processes running on Windows when launching Stremio, we applied the following filters:

  1. Process Name is: Stremio.exe
  2. Path ends with .dll
  3. Result is: NAME NOT FOUND

We observed three paths from which Stremio retrieves DLL files:

  1. C:\Windows\System32\
  2. C:\Windows\SysWOW64
  3. C:\Users\%username%\AppData\Local\Programs\LNV\

We refrained from tampering with the original Windows paths, such as System32 and SysWOW64. Instead, we meticulously inspected each DLL file the program acquired from the LNV\Stremio-4 path, as it does not require elevated permissions.

After conducting thorough research on the DLL files, the program attempts to call but doesn’t find them. We discovered four vulnerable DLL files:

  1. SspiCli.dll
  2. RTWorkQ.dll
  3. profapi.dll
  4. UMPDC.dll

As researchers, we leveraged msfvenom to produce a malicious .dll file, enabling us to attain a reverse shell on the remote target.

Once the malicious .dll file was successfully transferred to the remote target, we renamed it to UMPDC.dll and placed it inside the directory: C:\Users\%username%\Local\Programs\LNV\Stremio-4\ path.

Upon running the program, we successfully obtained a reverse shell.

What can attackers do in this DLL Hijacking vulnerability in Stremio

DLL hijacking vulnerabilities present a significant risk, as they enable attackers to execute arbitrary code with the privileges of the targeted application or even escalate their privileges on the system. Below are a few examples of what attackers can achieve through DLL hijacking:

  1. Remote Code Execution: Through DLL hijacking, attackers can exploit vulnerabilities to substitute a legitimate DLL with a malicious one. When the targeted application loads the DLL, it inadvertently executes the attacker’s code, granting them remote code execution capabilities. This can lead to unauthorized access, data theft, or the installation of additional malware on the system.

  2. Privilege Escalation: DLL hijacking can also lead to privilege escalation.
     If an application with elevated privileges loads a DLL using a vulnerable search order or from an untrusted location, attackers can replace the DLL and execute code with elevated privileges. This could bypass security controls, grant administrative access, and enable unauthorized actions on the system.

  3. Information Theft: DLL hijacking can be exploited for stealing sensitive information. Attackers can replace a legitimate DLL, allowing them to intercept and manipulate data passing through the hijacked DLL. This may involve capturing login credentials, blocking network traffic, or gaining access to confidential data stored by the application.

  4. System Compromise: A DLL hijacking vulnerability can serve as a gateway to broader system compromise. Attackers can utilize the initial access obtained through DLL hijacking to execute lateral movement, escalate privileges, or establish persistent backdoors. This enables them to retain control over the compromised system and potentially extend their reach to other systems within the network.

Keep Posted with the Latest Research Articles