DLL side-loading vulnerability in Sony Music Center for PC Ver. 2.7.2 (Latest version)

**Overview** The application insecurely searches for the missing DLL file in system PATH environment, allowing an attacker with access to victim's local machine host to achieve arbitrary code execution by implanting a malicious DLL file in any PATH environment. **MITRE reference:** https://attack.mitre.org/techniques/T1574/001/ **Proof of Concept** 1. Open Procmon and observe that the application searches for a missing DLL file named "z-bes.dll" in the system PATH variables (e.g. C:\Program Files\Git\cmd\z-bes.dll, C:\Users\supra\Desktop\tools\z-bes.dll etc) {F4818250} 2. To exploit this insecured behaviour, I crafted a fake DLL file. When this DLL file is being used, it launches a calc.exe **Calc.c** ``` #include <windows.h> BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: system("calc.exe"); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } ``` {F4818280} 3. Next i placed it in the C:\Users\supra\Desktop\tools\ directory which was registered in the system PATH environment 4. Open the application again and observe that the calculator shows up. {F4818296} 5. Observe Prcomon output, we found that the malicious DLL file is mapped and executed. {F4818298} **Remediation** I believe this DLL file is removed but the application is still search for it. I think if the application is no longer use this DLL file, stopping the application from searching for it should solve the problem. Additionally, specifying DLL full paths is the solution to prevent this kind of attack. ## Impact A successful exploitation allows an attacker to achieve code execution on target machine or secretly install a trojan using SONY application to masquerade itself to avoid anti-virus detection.