Quark Cloud Drive DLL Hijacking Vulnerability Allowing Arbitrary Code Execution

A DLL hijacking vulnerability has been identified in Quark Cloud Drive version 3.23.2. The issue arises from the application's insecure loading of system libraries, specifically regsvr32.exe. The application fails to validate the path or signature of the DLL it loads, allowing an attacker to place a malicious DLL in the application's startup directory. When the user launches the program, the crafted DLL is loaded and executed, potentially leading to arbitrary code execution with the user's privileges. If the application is run with administrative rights, this could result in a full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with the privileges of the user running Quark Cloud Drive. If the application is executed with administrative rights, it could lead to complete control over the system.

Reproduction

To reproduce this vulnerability, place the official Quark Cloud Drive installer and a maliciously crafted DLL named regsvr32.exe in the same directory, such as the Downloads folder. When the installer is run, the malicious DLL will be executed with SYSTEM privileges, allowing full control over the system.

Remediation

It is recommended to update Quark Cloud Drive to a version that addresses this vulnerability. Users should also be cautious about the permissions granted to applications and consider using security features that restrict the execution of untrusted code.