DigiSign DigiSigner ONE DLL Hijacking Vulnerability

A DLL hijacking vulnerability has been identified in DigiSign DigiSigner ONE version 1.0.4.60. This vulnerability allows an attacker to place a malicious DLL in a directory where the application expects to find a legitimate one. When the application is launched, it loads the malicious DLL with the same privileges as itself, potentially leading to unauthorized actions or access.

Impact

Exploitation of this vulnerability allows for DLL hijacking, where a malicious DLL is loaded by the application, potentially leading to privilege escalation.

Reproduction

To reproduce this vulnerability, first launch the DigiSigner ONE application and monitor it with Process Monitor (Procmon) for DLL hijacking issues. Apply filters to track the application's DLL loading behavior, looking for any 'Name Not Found' results for DLL files. You will observe that the application attempts to load a DLL named 'DLPReel.dll' from various locations, including the installation folder and environment paths, but fails to find it. Next, create a malicious DLL named 'DLPReel.dll' using the provided source code, which displays a message box when loaded. Compile this code into a DLL using the appropriate compiler command. Once compiled, place the DLL into an environment path and open the DigiSigner ONE application. Click on 'Renewal Certificate' to trigger the DLL loading process. If successful, a message box will appear, indicating that the DLL hijacking has occurred.