CVE-2021-3305

Vulnerability

Feishu v3.40.3, a collaboration platform by Beijing Feishu Technology Co., Ltd., suffers from an untrusted search path vulnerability [1]. The application loads dynamic-link libraries (DLLs) from directories that may be writable or controllable by a local attacker, such as the current working directory or other user-writable paths. This occurs when the application does not restrict the search order for required DLLs, allowing a malicious DLL placed in a search path to be loaded instead of the legitimate one.

Exploitation

An attacker with local access to the system or the ability to place files in a directory searched by Feishu (e.g., via a shared folder or removable media) can exploit this vulnerability. The attacker must craft a malicious DLL with the same name as a DLL that Feishu attempts to load. When Feishu starts or performs an operation that triggers the DLL load, the malicious DLL is executed in the context of the Feishu process. No additional authentication or user interaction beyond launching the application is required.

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the Feishu process. This can lead to full compromise of the user's system, including data theft, installation of malware, or further lateral movement within a network. The impact is limited to systems where Feishu is installed and the attacker can write to a directory in the search path.

Mitigation

As of the publication date (2022-10-18), no official patch or fixed version has been disclosed by the vendor [1]. Users should restrict write access to directories in the application's search path, avoid running Feishu from untrusted locations, and monitor for vendor updates. If the application is no longer supported, consider replacing it with an alternative.