Low
OneDrive DLL hijack privilege escalation
Add Reference
Description
URL
Type
Low
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
OneDrive DLL hijack privilege escalation
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
There exists a dll hijacking vulnerability in Onedrive versions after 20.073.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityVery High
Technical Analysis
EDIT: This is not a privilege escalation per se. This overwrites the dll and gains injection, but it relies on a second user with greater privileges to log in and kick off OneDrive.
This exploit was not granted a CVE, but it was patched by an automated patch rollout. Microsoft denied the CVE as the update will happen automatically (see [here]{https://labs.redyops.com/index.php/2020/04/27/onedrive-privilege-of-escalation/} for more information).
The exploit is a very simple dll hijacking vulnerability in the OneDrive executable. The onedrive executable will attempt to load a specific (and often non-existant) dll if a specific config file is present.
Specifically, Onedrive will load the dll C:\Qt\Qt-5.11.1\qml\QtQuick.2.7\qtquick2plugin.dll if the file C:\Qt\Qt-5.11.1\qml\QtQuick.2.7\qmldir with the following contents:
module QtQuick plugin qtquick2plugin classname QtQuick2Plugin typeinfo plugins.qmltypes designersupported
Onedrive will load this dll into its trusted process if a user interacts with OneDrive.
This exploit is already patched and has a published Defender signature, but the service does not have to be in-use or logged in for the exploit to work. In my testing, an unpatched Windows 10x64 1903 VM was vulnerable in the default configuration (apart from disabling defender).
Because this exploit is patched, automatically updated, and already has a signature for it, it will likely have a short shelf life in most locations, but it does provide an opportunity for exploitation of air-gapped or other system that does not talk to the internet.
General Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
