Wondershare Filmora Trojan DLL Hijacking Privilege Escalation Vulnerability

A Trojan DLL hijacking vulnerability has been identified in Wondershare Filmora versions prior to 9.2.11, allowing for privilege escalation. The vulnerability arises because the application improperly searches for DLLs in multiple locations, including user-writable directories. An attacker with local access can exploit this by placing a malicious DLL, named uuid.dll, in a specific directory. When Filmora is launched, it loads the malicious DLL, executing the attacker's code with elevated privileges.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with elevated privileges.

Reproduction

The vulnerability can be reproduced by first identifying the DLL load path using Process Monitor to confirm that Filmora attempts to load uuid.dll from a vulnerable directory. Afterward, a malicious DLL can be created using msfvenom and placed in the same directory. Once Filmora is launched, the application will load the malicious DLL, executing the embedded payload and establishing a reverse shell back to the attacker's machine.