Source: security@synology.com
An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer.
Synology Presto Client versions prior to 2.1.3-0672 are vulnerable to an uncontrolled search path element vulnerability. This allows a local attacker to execute arbitrary code with the privileges of the installer by placing a malicious DLL in a specific directory, potentially leading to system compromise and data exfiltration.
Step 1: Payload Preparation: The attacker identifies a DLL that the Synology Presto Client installer attempts to load during installation. This can be determined through static analysis of the installer or dynamic analysis during installation attempts.
Step 2: Malicious DLL Creation: The attacker creates a malicious DLL with the same name as the identified DLL. This malicious DLL contains the attacker's payload, such as code to execute a reverse shell, steal credentials, or install malware.
Step 3: Payload Placement: The attacker places the malicious DLL in a directory that the installer searches before the system directories. This is typically the same directory as the installer itself or a directory the installer uses during the installation process.
Step 4: Installation Trigger: The attacker initiates or waits for the Synology Presto Client installation to begin. This could be a manual installation or an automated process.
Step 5: DLL Hijacking: During the installation, the installer attempts to load the legitimate DLL. Due to the insecure search path, the attacker's malicious DLL is loaded instead.
Step 6: Code Execution: The attacker's payload within the malicious DLL is executed with the privileges of the installer, enabling the attacker to perform actions such as arbitrary file read/write or system compromise.
The vulnerability stems from the Synology Presto Client installer's insecure handling of its search path. When the installer attempts to load DLLs during the installation process, it does not properly validate the location from which these DLLs are loaded. Specifically, the installer searches the current working directory before system directories. An attacker can exploit this by placing a malicious DLL with the same name as a DLL the installer attempts to load in a directory the installer will search. This leads to the attacker's DLL being loaded instead of the legitimate one, enabling code execution. The root cause is a lack of secure DLL loading practices, specifically the absence of a fully qualified path or a secure search order during DLL loading. This allows for DLL hijacking, a type of path traversal vulnerability. The installer's logic fails to properly sanitize or restrict the search path, creating an opportunity for code injection.
This vulnerability could be leveraged by various threat actors. While no specific APT is definitively linked, the ease of exploitation makes it attractive to both sophisticated and less-skilled attackers. This type of vulnerability is often used by ransomware groups for initial access and privilege escalation. Not currently listed on CISA KEV, but could be added if actively exploited in the wild.
Monitor file system activity for the creation of DLLs in the same directory as the Synology Presto Client installer.
Analyze process creation events, specifically looking for the Synology Presto Client installer loading DLLs from unexpected locations.
Examine network traffic for suspicious outbound connections originating from the Synology Presto Client process after installation.
Review system logs for errors related to DLL loading, such as 'DLL not found' or 'Access denied' errors, which may indicate attempted exploitation.
Use file integrity monitoring (FIM) tools to detect changes to the Synology Presto Client installation directory and its associated DLLs.
Upgrade Synology Presto Client to version 2.1.3-0672 or later.
Implement a secure DLL loading strategy in the Synology Presto Client installer. This includes using fully qualified paths for DLLs and/or restricting the search path to trusted locations.
Ensure that the installation directory has appropriate access controls, limiting write access to authorized users only.
Employ application whitelisting to restrict the execution of unauthorized DLLs.
Regularly scan systems for signs of compromise, including the presence of malicious DLLs and suspicious network activity.
Implement a defense-in-depth strategy, including endpoint detection and response (EDR) solutions to detect and respond to malicious activity.