Low
OneDrive DLL hijack privilege escalation
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Low
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
OneDrive DLL hijack privilege escalation
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
There exists a dll hijacking vulnerability in Onedrive versions after 20.073.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityVery High
Technical Analysis
EDIT: This is not a privilege escalation per se. This overwrites the dll and gains injection, but it relies on a second user with greater privileges to log in and kick off OneDrive.
This exploit was not granted a CVE, but it was patched by an automated patch rollout. Microsoft denied the CVE as the update will happen automatically (see [here]{https://labs.redyops.com/index.php/2020/04/27/onedrive-privilege-of-escalation/} for more information).
The exploit is a very simple dll hijacking vulnerability in the OneDrive executable. The onedrive executable will attempt to load a specific (and often non-existant) dll if a specific config file is present.
Specifically, Onedrive will load the dll C:\Qt\Qt-5.11.1\qml\QtQuick.2.7\qtquick2plugin.dll if the file C:\Qt\Qt-5.11.1\qml\QtQuick.2.7\qmldir with the following contents:
module QtQuick plugin qtquick2plugin classname QtQuick2Plugin typeinfo plugins.qmltypes designersupported
Onedrive will load this dll into its trusted process if a user interacts with OneDrive.
This exploit is already patched and has a published Defender signature, but the service does not have to be in-use or logged in for the exploit to work. In my testing, an unpatched Windows 10x64 1903 VM was vulnerable in the default configuration (apart from disabling defender).
Because this exploit is patched, automatically updated, and already has a signature for it, it will likely have a short shelf life in most locations, but it does provide an opportunity for exploitation of air-gapped or other system that does not talk to the internet.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
