[German]On December 17/18 2019 the tool AdwCleaner 8.0.1 was released by Malwarebytes. This update fixes a DLL hijacking vulnerability I reported to the developers.
What is the AdwCleaner?
If Windows shows unwanted programs or displaying unwanted ads after installing software possible adware has been involved. In order to clean the system of this unwanted programs, the tool Malwarebytes AdwCleaner may be used (its free for private use).
There are also options to perform basic repairs on Windows (firewall, BITS, etc.). By default, the database is synchronized with a database in the cloud, but this option can be switched off. It is also possible to define exclusions for software – this may help with the problems mentioned in this German comment from a blog reader.
I had reported a few days ago in the German blog post Malwarebytes AdwCleaner 8.0 (English article Malwarebytes AdwCleaner 8.0, a 2nd view) that a new version was available. In this post I also gave some hints for download and mentioned that the tool might have a vulnerability. But more about that later.
Dll hijacking vulnerability up to version 8.0.0
While writing my blog post mentioned above I found (by chance) a security issue in this tool that would have prevented me from using it. The AdwCleaner does not install anything, but requires administrator permissions during start (mandatory to clean up adware).
For this reason, I execute such tools on a test bed by default to determine if so-called DLL hijacking issues exist. This means that the software calls certain DLL files (mostly from Windows) at startup or during operation. If the developer does not pay attention and ignores how Windows searches for DLL files, these DLL libraries are searched in the folder from which the program was called.
This means that when AdwCleaner runs with administrative permissions, the code from the loaded DLL files is also executed as a process with administrative permissions. Normally this works well, because Windows does not find the DLL files in the folder of the program and then searches in the Windows folders. But if a malware knows that a tool has a DLL hijacking vulnerability for certain DLLs, it only needs to store a file with the same name in the folder containing the application. With AdwCleaner, this should usually be the Downloads folder.
If the user then runs the AdwCleaner, the tool requests administrative permissions. The user will grant these permissions because he wants to clean his system from junkware. If a malware had the opportunity to store a manipulated DLL file in the AdwCleaner folder, it would be loaded. A DLL hijacking then takes place and the manipulated DLL receives administrative privileges via the AdwCleaner in a piggy-back manner. This could be seen as a privilege escalation vulnerability.
When I executed the version of AdwCleaner adwcleaner_8.0.0.exe in my test bed, a warning appeared with some DLLs (on an English system, the messages will be inEnglish, see this screenhot at Bleeping Computer). The above warning shows a DLL that is vulnerable to DLL hijacking when loaded. There were several DLLs in AdwCleaner 8.0.0 that caught my attention.
By the way, the test bed is provided by white hat hacker Stefan Kanthak, who deals with such security issues. You can download the file Forward.cab from his website and extract it into a folder. There is also a Sentinel.exe, which also goes into this folder. Stefan Kanthak has published this English site with further details and download links for Sentinel.exe and .dll.
Note: If a virus scanner raises an alarm, when visiting the Kanthak website: He delivers the Eicar test virus in a data block attribute on its website in order to test whether browsers evaluate it and load it into memory for execution. Then a virus scanner should raise an alarm, indicating that the browser failed to ignore the data block attribute from execution.
After estabilishing the test bed in Windows, the software to be tested need to be copied to the folder of the test bed. The execute the programIf there are alarms as shown in the screenshot above, there is a DLL hijacking vulnerability. I have already warned here in the blog about several tools with such vulnerabilities, mostly it doesn’t help or I catch myself armed comments, why I publish such a thing and I can do it better.
In the current case, I then informed the Malwarebytes’ press office on December 10, 2019 about the issue found. On the same day the developer who originally created the AdwCleaner contacted me and promised to take care of it.
On December 11, 2019 I received a test version of AdwCleaner 8.0.1.exe in which this vulnerability should be fixed. Another test showed that this was not the case, the new version was still vulnerable, which I reported and pointed out to the developers the steps to create the test bed. On Friday, December 12, 2019, I got access to a pre-release version where I no longer found any DLL hijacking vulnerability in the test bed. After consulting the developer, he announced the release on December 12, 2019 (Paris time late in the evening). AdwCleaner is a purchase of malware bytes and some of the developers are probably based in France.
I have two things to mention here. Stefan Kanthak told me within a e-mail that he had already reported this vulnerability 3 years ago without success. At this point I want to thank Stefan, who in the past gave me some hints about such vulnerabilities and the test bed – without this support I would never have found the whole thing.
After I was in contact with the developer, he reacted very quickly and revised the software after some additional hints regarding the DLL hijacking problem. I also mentioned the criticism of Blog Reader’s Decree regarding inadequate scan settings. In version 8.0.1, improvements were also made in this respect (I don’t know if they are sufficient). The vulnerability has not yet been assigned a CVE number, but this has been fixed. Therefore, I would like to praise the developer Jérôme Boursier for his quick reaction.
Malwarebytes AdwCleaner 8.0.1 released
Since the release of the German article Malwarebytes AdwCleaner 8.0 I was waiting for the release of the corrected version 8.0.1. Yesterday Lawrence Abrams of Bleeping Computer informed me that this version had been released. Abrams knows the developer Jérôme Boursier and had offered me his mediation on the DLL hijacking topic (which was not necessary). Yesterday evening AdwCleaner developer Jérôme Boursier informed me about the official release of version 8.0.1 and mentioned that he had announced the release in the forum.
We are pleased to share the new AdwCleaner 8.0.1!
In line to the improvements made in AdwCleaner 8, we’ve been pushing towards improving detection and remediation capabilities, and this time we focused on Mozilla Firefox. We completely rewrote the way we scan and clean Firefox addons, preferences, search engines, start pages, etc.. This allows to reduce the technology debt, to have a more maintainable codebase, and to gain in detection rate and remediation effectiveness.
On top of this major change, we fixed a security vulnerability reported by Günter Born. AdwCleaner 7.0 up to 8.0.1 are vulnerable to DLL hijacking. This has now been fixed. We are very grateful for the report, and we encourage everyone to report us any vulnerabilities in AdwCleaner. We will study them and depending on the severity, act accordingly.
This is the last release of 2019. We hope to keep our newly found pace in 2020 to improve quality, speed, and detection rate!
The forum post with the release notes also contains a more detailed changelog:
## v8.0.1 [18/12/2019]
### New Features
– Re-Implement Firefox module. It now properly supports detecting and removing extensions, startpage, searchengines, preferences…
– Hide debug output
– Update telemetry internals.
– Update definitions to 2019.12.17.1
– Fix a DLL Hijacking vulnerability in AdwCleaner 7.0+, reported by Günter Born.
Some improvements have been made and the DLL hijacking vulnerability I reported has been fixed. It is expected to be the last version of AdwCleaner in 2019.
Addendum: Bleeping Computer covered this story also within this article with additional hints.
Cookies helps to fund this blog: Cookie settings