{"id":13003,"date":"2020-02-06T00:14:09","date_gmt":"2020-02-05T23:14:09","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13003"},"modified":"2024-10-03T07:19:13","modified_gmt":"2024-10-03T05:19:13","slug":"realtek-closes-a-dll-hijacking-vulnerability-in-hd-audio-driver","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/02\/06\/realtek-closes-a-dll-hijacking-vulnerability-in-hd-audio-driver\/","title":{"rendered":"Realtek closes a DLL Hijacking Vulnerability in HD Audio driver"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/02\/05\/realtek-schliet-dll-hijacking-schwachstelle-in-hd-audiotreiber-paket\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Vendor&nbsp; Realtek has closed a DLL hijacking vulnerability in its HD audit driver package. Here is some information about this issue. <\/p>\n<p><!--more--><\/p>\n<h2>Vulnerability in Realtek audio driver package<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg01.met.vgwort.de\/na\/2107c2a4d4c846ce8b01b092e28bde90\" width=\"1\" height=\"1\">I came across the subject through <a href=\"https:\/\/web.archive.org\/web\/20210623201841\/https:\/\/www.bleepingcomputer.com\/news\/security\/realtek-fixes-dll-hijacking-flaw-in-hd-audio-driver-for-windows\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bleeping Computer<\/a>. Peleg Hadar has found the DLL hijacking vulnerability and points out the problem in this tweet <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">CVE-2019-19705 &#8211; A vulnerability which I found in Realtek's Driver package for Windows, which affects a lot of PC users:<a href=\"https:\/\/t.co\/5MpYix6t7o\">https:\/\/t.co\/5MpYix6t7o<\/a><\/p>\n<p>\u2014 Peleg Hadar (@peleghd) <a href=\"https:\/\/twitter.com\/peleghd\/status\/1224787890976231426?ref_src=twsrc%5Etfw\">February 4, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserveb11eda821d4a4f8ba41b059b49f831cb\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Within <a href=\"https:\/\/web.archive.org\/web\/20201021214752\/https:\/\/safebreach.com\/Post\/Realtek-HD-Audio-Driver-Package-DLL-Preloading-and-Potential-Abuses-CVE-2019-19705\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a> Hadar describes the vulnerability CVE-2019-19705 found by SafeBreach Labs using his own guard DLLs and discovered that the MFC application RAVBg64.exe (owned by Realtek) reloads DLLs without considering their path. Thus a missing (system) DLL would be reloaded by Windows from the current working directory. <\/p>\n<p>Specifically, the HD Audio background process running as NT AUTHORITY\\SYSTEM tries to load the RAVBg64ENU.dll and the RAVBg64LOC.dll from the working directory <\/p>\n<p>C:\\Program Files\\Realtek\\Audio\\HDA\\<\/p>\n<p>even though the DLLs are not found there. An attacker with appropriate permissions could use this to place his own files with this name in this folder. These would be loaded by the HD Audio background process and would allow malware to be persistently anchored in the system. <\/p>\n<h2>Vulnerability fixed, old driver packages as problem<\/h2>\n<p>The vulnerability was reported to Realtek on July 10, 2019, and closed with a patch on December 13, 2019. The fix can be found in the Realtek HD Audio driver package ver.8857 or later. Driver versions prior to 8855 created with Microsoft Visual Studio 2005 (VS2005) are still vulnerable to attacks. <\/p>\n<p>While writing this post, I saw <a href=\"https:\/\/www.borncity.com\/blog\/2020\/02\/05\/sicherheitsinfos-emotet-scanner-whatsapp-etc-5-2-2020\/#comment-84467\" target=\"_blank\" rel=\"noopener noreferrer\">this German comment<\/a> from blog reader 1ST1, which points out a serious problem: <\/p>\n<blockquote>\n<p>The stupid thing is, on http:\/\/www.realtek.com and realtek-downloads.com you can only find HD-Audio drivers from the year 2017 and 18, but nothing from December 2019. And they have different version numbers: 2.xx, and nixda with 88xx&#8230; <\/p>\n<p>People also complain about this here <a href=\"https:\/\/www.tenforums.com\/sound-audio\/135259-latest-realtek-hd-audio-driver-version-2-a-145.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.tenforums.com\/sound-audio\/135259-latest-realtek-hd-audio-driver-version-2-a-145.html<\/a> <\/p>\n<p>and offer even newer drivers, the latest is 8888.1 via download links in the Mangenta cloud. But I don't find this trustworthy&#8230; <\/p>\n<p>Maybe you can find these newer versions on websites of mainboard manufacturers (ASUS, MSI, Gigabyte, &#8230;), but you'd have to kick Realtek's butt for that.<\/p>\n<\/blockquote>\n<p>That's a good description of the point. Maybe this is helpful for one or the other reader.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Vendor&nbsp; Realtek has closed a DLL hijacking vulnerability in its HD audit driver package. Here is some information about this issue.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[536,69,194],"class_list":["post-13003","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-driver","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13003"}],"version-history":[{"count":2,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13003\/revisions"}],"predecessor-version":[{"id":35444,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13003\/revisions\/35444"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}