Mobatek MobaXterm Home Edition Uncontrolled Search Path Vulnerability in msimg32.dll Allowing DLL Hijacking

A DLL search order hijacking vulnerability has been identified in Mobatek MobaXterm Home Edition versions prior to 26.2. The issue arises because the application insecurely loads the system library msimg32.dll during startup, using the default Windows DLL search order. This allows an attacker to place a malicious msimg32.dll in the application directory, which will be loaded instead of the legitimate system library, leading to arbitrary code execution within the context of the MobaXterm process. The vulnerability can be exploited locally, and has been disclosed publicly along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with the same privileges as the user running the application. If MobaXterm is launched with administrative rights, the executed code will also have elevated privileges.

Reproduction

To reproduce this vulnerability, place a malicious DLL named msimg32.dll in the same directory as the MobaXterm executable. When MobaXterm is launched, the malicious DLL will be loaded instead of the legitimate one, executing the embedded code.

Remediation

Upgrade to Mobatek MobaXterm Home Edition version 26.2, which addresses this vulnerability.