Skip to content

DLL-hijacking in Sysinternals-related tools (and maybe others) #39683

New issue
New issue
Open
Open
DLL-hijacking in Sysinternals-related tools (and maybe others)#39683
Labels
Issue-BugSomething isn't workingNeeds-TriageFor issues raised to be triaged and prioritized by internal Microsoft teams
@Einstein2150

Description

@Einstein2150
Einstein2150
opened on May 23, 2025

Microsoft PowerToys version

0.88.0

Installation method

GitHub

Area(s) with issue?

General

Steps to reproduce

plant a vulnerable DLL (i.e. TextShaping.dll) in the directory of PowerToys and run ZoomIt or TextExtractor. The DLL is overwritten and the modified code is executed.

https://www.foto-video-it.de/2025/allgemein/disclosure-dll-hijacking-in-microsoft-powertoys/

https://youtu.be/55IVsDigXQ4

✔️ Expected Behavior

PowerToys must load the DLLs in every case from a secure location i.e. system32

❌ Actual Behavior

DLL-hijacking is possible

Additional Information

There is a potential fix for this but it must be reviewed: #39682

The vulnerability was already reported to the MSRC with Submission number VULN-146963 / Case number
94736 more than 90 days ago ...

Other Software

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue-BugSomething isn't workingNeeds-TriageFor issues raised to be triaged and prioritized by internal Microsoft teams

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions