TrueConf Client DLL Hijacking Vulnerability Allowing Arbitrary Code Execution

A DLL hijacking vulnerability has been identified in TrueConf Client version 8.5.2. The issue arises because the application loads 'wfapi.dll' without an absolute path, creating an opportunity for local attackers to execute arbitrary code in the user's context. Exploitation involves placing a crafted 'wfapi.dll' in a user-writable directory that is included in the user's PATH, such as 'C:\Users\<user>\AppData\Local\Microsoft\WindowsApps'. When TrueConf Client is launched, it inadvertently loads the malicious DLL, leading to unauthorized code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the context of the user running TrueConf Client. Additionally, the vulnerability could be used for persistence, application hijacking, and evading security defenses.

Reproduction

To reproduce this vulnerability, create a malicious 'wfapi.dll' that contains the desired payload. Place this DLL in a user-writable directory that is included in the user's PATH, such as 'C:\Users\<user>\AppData\Local\Microsoft\WindowsApps'. Once the malicious DLL is in place, launch TrueConf Client 8.5.2. The application will load the malicious DLL during startup, executing the code within it.

Remediation

TrueConf should update the application to load DLLs using absolute paths and restrict the DLL search order to enhance security. Users can manually remove the vulnerable version and download the latest version from the TrueConf website.