AdwCleaner 8.0.4 closes again a DLL Hijacking vulnerability

[German]On March 3, 2020, Malwarebytes released the tool AdwCleaner 8.0.4. It's a maintenance release.  The update fixes a DLL hijacking vulnerability that I reported to the developers.


Advertising

In December 2019 I already had the blog post AdwCleaner 8.0.1 closes a DLL Hijacking vulnerability here in the blog. This article was about a DLL hijacking vulnerability in this tool. There you can also find hints about what the AdwCleaner does.

Again a DLL hijacking vulnerability in AdwCleaner 8.0.3

Recently I had seen on the Internet that the AdwCleaner 8.0.3 is available. Out of an impulse I downloaded this version and then ran it over my testbed. The AdwCleaner does not need to be installed, but it requires administrative permissions at startup. The user will grant them, because he wants to clean his system from junkware.

DLL-Hijacking-Schwachstelle in AdwCleaner 8.0.3

After launching the tool, I was informed via the above dialog box that this version 8.0.3 of the AdwCleaner was vulnerable to DLL hijacking. This means that all DLL files loaded by the AdwCleaner are also executed as a process with administrative privileges.

Normally this works well because Windows does not find the DLL files in the program's folder and then searches in the Windows folders. However, if a malware knows that a tool has a DLL hijacking vulnerability for certain DLLs, it only needs to place a file with the same name in the folder containing the application. For AdwCleaner, this is usually the Downloads folder. This DLL is then loaded instead of the Windows DLL (hijacking). 


Advertising

The test bed is provided by Stefan Kanthak, who deals with such security issues. You can download the file Forward.cab from his website and extract it into a folder. There is also a Sentinel.exe, which has to be moved into this folder.

If a virus scanner jumps on when you visit the Kanthak website: it delivers the Eicar test virus in a data block attribute on its website to test whether browsers evaluate it and load it into memory for execution. A virus scanner should then be activated.

The developer reacts immediately

Since I was already in contact with him about the same problem with AdwCleaner 8.0.0, and the problem was solved with version 8.0.1, I sent him a mail. It took about 14 days until the answer. But the background was a vacation of the developer. Yesterday the developer informed me that AdwCleaner 8.0.4 was released with a bug fix. In the changelog, which is published here:

We are pleased to release AdwCleaner 8.0.4!

This versions is purely focused on maintenance to fix a bug that got reintroduced. The CVE number is pending assignment, this post will be updated when delivered.

We updated the test suite to avoid this to happen again.

See the full changelog below:

## v8.0.4 [03/04/2020]

### Changes
* Update definitions to 2020.04.03.1

### Bugfixes
* Fix reintroduction of DLL loading vulnerability reintroduced in 8.0.3. CVE assignation pending.

The download of AdwCleaner 8.0.4 is available on this website. Of course I have run this version in the test bed after the download. The DLL hijacking vulnerability has been fixed. I have no idea what went wrong with them, that the old vulnerability in version 8.0.3 is included in the tool.

Similar articles:
Malwarebytes AdwCleaner 8.0, a 2nd view
AdwCleaner 8.0.1 closes a DLL Hijacking vulnerability


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Software, Windows and tagged , . Bookmark the permalink.

One Response to AdwCleaner 8.0.4 closes again a DLL Hijacking vulnerability

  1. Chris Pugson says:

    Unfortunately AdwCleaner version 8 (all dot revisions up to and including 8.0.4) will not run on many installations of Windows 8.1 and 10 (which include all of mine and I have not observed it to work on any others). After the user responds to UAC the program silently vanishes. It does however work fine on Windows 7.

Leave a Reply

Your email address will not be published. Required fields are marked *