[Security bug] Vulnerabilities in the DLL injector module #40
Description
I have found two issues that can be chained by an attacker with high privileges in order to inject arbitrary hooks into any monitored process in an endpoint running openEDR.
1. Unsigned DLL Loading in the Injector Module
The EDR's injector driver loads specific DLLs into monitored processees to hook certain Windows APIs. However, the driver does not check correctly the loaded DLLs' signatures at all. This allows an attacker with high integrity privileges to use this legitimate driver, signed by Comodo, to load a malicious DLLs and perform userland hooking.
The isDllVerified() function is not being used and does not work correctly in current Windows versions.
2. DLL Hijacking in the Injector Module
The injector driver searches for DLLs to inject into the monitored processes in a predefined list of paths in priority order. The issue stems from the fact that, even though the second of these paths is properly protected, the first is not. This allows a user with high integrity privileges to drop a malicious DLL into this path, or overwrite a legitimate DLL in such path.