Patch My PC Home Updater DLL Hijacking Vulnerability Allowing Arbitrary Code Execution as Administrator

A critical DLL hijacking vulnerability has been identified in Patch My PC Home Updater versions through 5.1.3.0. The issue arises because the application loads missing DLLs from a user-writable directory in the TEMP folder, without proper validation. This flaw allows a standard user to place a malicious DLL that will be executed with elevated Administrator privileges when the application is launched. The vulnerability exploits several common Windows DLLs, enabling local privilege escalation and arbitrary code execution as an Administrator.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with Administrator privileges, bypassing User Account Control (UAC) protections and leading to a local privilege escalation.

Reproduction

To reproduce this vulnerability, first create a malicious DLL named 'comctl32.dll' that executes a simple command, such as launching 'calc.exe', or one that spawns a reverse shell. Place the DLL in the user-specific TEMP directory where Patch My PC Home Updater extracts its files, ensuring it is there before the application is launched. Once the application is started, the malicious DLL will be executed with Administrator rights, allowing the injected code to run with elevated privileges.