During an engagement, I identified a DLL hijacking vulnerability in MobilePASS for Windows, version 8.4.4.99. MobilePASS is a Two-factor authentication solution, which can run on Windows.

When MobilePASS is executed, it attempts to load etoken.dll from several locations, including the user’s desktop folder and the %APPDATA% directory.

This enables an attacker with local access to place a malicious etoken.dll in the directory where MobilePASS attempts to load it. As a result, the attacker can disguise their activity behind MobilePASS.

To demonstrate the vulnerability, a simple DLL program was created in C# that writes a debug string when MobilePASS is launched.

DLL Hijacking has several sub-techniques. In this instance DLL Proxying was utilized, where the malicious DLL forwards calls to the real DLL. This keeps MobilePASS’s functionality intact while still executing the malicious code.

The vulnerability assessment was limited to the specified version of MobilePASS, as newer versions were not available for testing. While this vulnerability did not directly enable privilege escalation, it could potentially serve as a persistence mechanism for an attacker.

Disclosure Timeline:

• 2024-07-21: The initial report is sent to CPL Security Response Team.
• 2024-07-23: The CPL Team confirms that the issue is only present in version 8.4.4.x. Version 8.4.4.99 was released in 2016
• 2024-07-30: No CVE will be requested due to the old version

Recommendations:

Update to the latest version of MobilePASS. Regarding DLL hijacking, Microsoft has some good recommendations.