SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
CyFox identifies critical hijacking vulnerability in popular streaming software
Thu, 3rd Aug 2023

CyFox has recently identified a critical hijacking vulnerability in Stremio 4.4, a popular and versatile software platform for streaming movies and TV shows. With more than 5 million users relying on Stremio for their entertainment needs, this vulnerability poses a significant risk to their security and data.

The vulnerability, known as "Application Directory DLL Planting," allows attackers to exploit DLL (Dynamic Link Library) hijacking, which in turn enables them to execute arbitrary code with the privileges of the targeted application or escalate their privileges on the system. The consequences of this vulnerability can be severe, ranging from remote code execution to information theft and system compromise.

By exploiting this vulnerability, attackers can gain unauthorised access to systems, steal sensitive data, and potentially compromise the entire network. Given the large user base of Stremio, the potential impact of this vulnerability is a cause for concern.

Stremio relies on DLLs (Dynamic Link Libraries), which are fundamental to Windows and many applications, enabling a modular approach to software development, encouraging code reuse, and accessing shared functions and resources for smooth operation.

The vulnerability in Stremio arises from the use of two Windows API functions, LoadLibraryA and LoadLibraryExA, with the latter providing attackers the opportunity to plant malicious DLLs in the application directory, leading to unauthorised code execution.

CyFox researchers have identified four vulnerable DLL files: SspiCli.dll, RTWorkQ.dll, profapi.dll, and UMPDC.dll. By leveraging msfvenom, the researchers successfully obtained a reverse shell on the remote target, highlighting the severity of this vulnerability.

Attackers can exploit DLL hijacking in Stremio to achieve various malicious objectives, including:

  • Remote Code Execution: Substituting legitimate DLLs with malicious ones enables attackers to execute code remotely, leading to unauthorised access and potential data theft.
  • Privilege Escalation: If an application with elevated privileges loads a vulnerable DLL from an untrusted location, attackers can execute code with elevated privileges, bypassing security controls.
  • Information Theft: Attackers can intercept and manipulate sensitive data passing through the hijacked DLL, allowing them to steal login credentials and confidential information.
  • System Compromise: This vulnerability can serve as an entry point for attackers to gain broader access to the system and potentially establish persistent backdoors.

Nir Yehoshua, Chief Researcher and Team Leader at CyFox, says, "The discovery of this vulnerability in Stremio underscores the importance of continuous vigilance in the realm of cybersecurity. At CyFox, we remain committed to empowering users and organisations with knowledge to secure their digital landscapes."