Overwolf Local Privilege escalation (Ghost dll)

Special thanks to @Chriss_WH who discovered this with me.

This vulnerability is pretty straightforward.  Anyone can go from basic user to system level from dropping a CRYPTBASE.dll into c:\ProgramData\Overwolf\Overwolf\Overwoldupdater directory

I submitted this to Overwolf 01/29/2020

05/03/2020 They told me i can post about it.


Installed Overwolf

Dropped the malicious DLL CRYPTBASE.dll into c:\ProgramData\Overwolf\Overwolf\Overwoldupdater directory

Then restart this service.  This service will then call the DLL as system as shown in the procmon output in the next image.

Restarted the service OverWolfupdater while running procmon and found the ghost dll being called with system permissions.  Since the permission allows the everyone group to write to the directory c:\ProgramData\Overwolf\Overwolf\Overwoldupdater where the dll CRYPTBASE.dll is being called as system it allows for an escalation of privileges to system


Overwolf I am assuming has fixed it since they told me I can now post.  I have not tested again to ensure their fix is in place.