ClipShare Server DLL Hijacking Vulnerability Leading to Local Privilege Escalation

A local privilege escalation vulnerability has been identified in ClipShare Server for Windows, versions prior to 3.8.5. The issue arises from the application using the default Windows DLL search order, loading system libraries such as CRYPTBASE.dll and WindowsCodecs.dll from its own directory before the system path. This behavior allows a local, non-privileged user who can write to the folder containing clip_share.exe to place malicious DLLs that could be executed as arbitrary code in the context of the server. If the application is launched by an Administrator or another elevated user, this exploitation reliably escalates privileges.

Impact

Exploitation of this vulnerability leads to arbitrary code execution with the same privileges as the user running ClipShare Server. If executed by an Administrator or an elevated user, it results in a local privilege escalation to SYSTEM-equivalent rights.

Reproduction

To reproduce this vulnerability, download ClipShare Server v3.8.3 for Windows and extract it to a folder. A local user with write access to this folder can compile a malicious DLL named CRYPTBASE.dll or WindowsCodecs.dll that, when loaded by ClipShare Server, executes arbitrary code, such as displaying a message box. After confirming the arbitrary code execution, the same malicious DLL can be used to escalate privileges by spawning a command prompt under the Administrator account, if ClipShare Server is run with elevated rights.

Remediation

Users can upgrade to ClipShare Server version 3.8.5 or later, where this vulnerability has been fixed.