#############################################################
#
# SWISSCOM CSIRT ADVISORY
# https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
#
#############################################################
#
# ID:       CVE-2018-6765
# Product:  Swisscom MySwisscomAssistant
# Vendor:   Swisscom (Schweiz) AG
# Subject:  DLL Side-Loading
# Finder:   Kushal Arvind Shah of Fortinet's FortiGuard Labs
# Coord:    Florian Badertscher (csirt _at_ swisscom.com)
# Date:     March 22nd 2018
#
#############################################################

Description
-----------
Swisscom MySwisscomAssistant contains a vulnerability that could allow a local attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded by Swisscom MySwisscomAssistant.

It allows an attacker to load a .dll of the attacker's choosing that could execute arbitrary code without the user's knowledge. The specific flaw exists within the handling of several DLL (dwmapi.dll, IPHLPAPI.DLL, WindowsCodecs.dll, RpcRtRemote.dll, CRYPTSP.dll, rasadhlp.dll, DNSAPI.dll, ntmarta.dll, netbios.dll, olepro32.dll, security.dll, winhttp.dll, WINSTA.dll) loaded by the .exe process.

Product
-------
Swisscom MySwisscomAssistant version 2.17.1.1065

Remediation
-----------
A new version with a fix for the vulnerability has been released. Update to a version above 2.17.1.1065.

Credits
-------
This vulnerability was discovered by Kushal Arvind Shah of Fortinet's FortiGuard Labs.

Timeline
--------
Jun 15th 2017    Vulnerability reported to Swisscom Bug Bounty program
Nov 30th 2017    A fixed version of the software published
Feb  6th 2018    CVE-ID requested and assigned by MITRE
Mar 22nd 2018    Public release of advisory