Discord DLL Hijacking Vulnerability in WINSTA.dll Allowing Remote Code Execution

A critical DLL hijacking vulnerability has been identified in Discord for Windows, specifically in version 1.0.9188. This vulnerability arises from an uncontrolled search path in the WINSTA.dll library, allowing attackers to execute arbitrary code remotely. Exploitation involves placing a malicious DLL in the user-writable Discord installation directory, from where it is loaded by the application on startup. The vulnerability requires local access to exploit and bypasses standard DLL loading security practices.

Impact

Successful exploitation of this vulnerability allows for remote code execution without user interaction, with the executed code running in the context of the user.

Reproduction

To reproduce this vulnerability, place a malicious DLL named WINSTA.dll in the user-writable Discord installation directory, typically located at C:\Users\<username>\AppData\Local\Discord\app-1.0.9188\. Once the DLL is in place, launch Discord. The application will load the DLL, executing any embedded payloads while functioning normally, thereby demonstrating the successful exploitation of the vulnerability.