Wassimulator CactusViewer Privilege Escalation and Arbitrary Code Execution Vulnerability

A DLL hijacking vulnerability has been identified in Wassimulator CactusViewer version 2.3.0. This vulnerability allows attackers to escalate privileges and execute arbitrary code by placing a malicious DLL in the same directory as the CactusViewer executable. When the application is launched, it loads the malicious DLL, leading to unauthorized code execution in the context of the user running the application.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with the privileges of the user running CactusViewer. This could be used to execute malicious payloads, potentially leading to further exploitation or unauthorized actions on the user's system.

Reproduction

To reproduce this vulnerability, download CactusViewer version 2.3.0 and extract it to a directory. Then, compile a malicious DLL that exploits the DLL hijacking vulnerability by injecting code execution payloads. Place the compiled DLL in the same directory as the CactusViewer executable. When CactusViewer is launched, the malicious DLL is loaded, and the injected code is executed, confirming the vulnerability.

Remediation

Users can be advised to avoid placing CactusViewer in directories where malicious DLLs could be easily introduced, such as shared or multi-user writable locations. However, a more effective remediation would involve updating the application to change how DLLs are loaded, ensuring they are only sourced from secure, trusted locations.