#############################################################
#
# SWISSCOM CSIRT ADVISORY
# https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
#
#############################################################
#
# ID:       CVE-2018-6766
# Product:  Swisscom TVMediaHelper
# Vendor:   Swisscom (Schweiz) AG
# Subject:  DLL Side-Loading
# Finder:   Kushal Arvind Shah of Fortinet's FortiGuard Labs
# Coord:    Florian Badertscher (csirt _at_ swisscom.com)
# Date:     March 22nd 2018
#
#############################################################

Description
-----------
Swisscom TVMediaHelper contains a vulnerability that could allow a local attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded by Swisscom TVMediaHelper.
It allows an attacker to load a .dll of the attacker's choosing that could execute arbitrary code without the user's knowledge. The specific flaw exists within the handling of several DLL (dwmapi.dll, PROPSYS.dll, cscapi.dll, SAMLIB.dll, netbios.dll, winhttp.dll, security.dll, ntmarta.dll, WindowsCodecs.dll, apphelp.dll) loaded by the .exe process.

Product
-------
Swisscom TVMediaHelper version 1.1.0.50

Remediation
-----------
Swisscom TVMediaHelper is a legacy application and should not be used anymore. Remove the application from the system.

Credits
-------
This vulnerability was discovered by Kushal Arvind Shah of Fortinet's FortiGuard Labs.

Timeline
--------
Jun 15th 2017    Vulnerability reported to Swisscom Bug Bounty program
Aug 31st 2017    The vulnerable software has been removed
Feb  6th 2018    CVE-ID requested and assigned by MITRE
Mar 22nd 2018    Public release of advisory