DLL Injection Attack
|Reported by:||mahendradhodi||Owned by:||Me|
|Component version:||3.25.2||Operating system type:||Windows|
|Operating system version:||Windows 10|
Description:Found DLL injection in the FileZilla Client Version 3.25.2, successfully injected dllinject.dll into the filezilla process address space.
On successful execution of the attack, temp file is created into E drive as I have written the same logic in the dllinject.dll.
Impact: On successful execution of DLL injection attack, an attacker can create windows user or other malicious activity as I have performed the text file creation.
Remediation: You can prevent this attack by hooking LoadLibrary. In your hook you check against a list of DLL names that you know are part of the process and that may be loaded, or you can check against a list of known DLLs you don't want to load.
When you find a DLL you don't want to load SetLastError(ERROR_ACCESS_DENIED) then return NULL.
That will stop the DLL from loading.