EfficientLab Controlio DLL Hijacking Vulnerability Allowing Arbitrary Code Execution as SYSTEM

A DLL hijacking vulnerability has been identified in EfficientLab Controlio versions prior to 1.3.95. This vulnerability arises from weak folder permissions in the installation directory, allowing local attackers to place specially crafted DLLs that are executed with high privileges when the Controlio service is started. The service runs as NT AUTHORITY\SYSTEM, enabling attackers to execute arbitrary code with elevated rights, potentially bypassing the application's monitoring features.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with the highest privileges on the system, as the Controlio service operates under the NT AUTHORITY\SYSTEM account.

Reproduction

The vulnerability can be reproduced by taking advantage of the weak folder permissions in the Controlio installation directory, located at C:\ProgramData\{UUID}. An attacker can drop a malicious DLL, such as one named WER.dll, which executes a command (like 'whoami') when the Controlio service is restarted. This demonstrates the ability to execute arbitrary code as an administrator.

Remediation

Users are advised to update to EfficientLab Controlio version 1.3.95, which addresses this vulnerability. For details on how to download the update, visit the Controlio Knowledge Base.