.NET DLL Hijacking Remote Code Execution Vulnerability

Vulnerability

Analysis

CVE-2023-28260 is a DLL hijacking vulnerability affecting .NET 6.0 and .NET 7.0 on Windows. The root cause lies in how the .NET runtime resolves and loads its DLLs—under certain conditions, the runtime can be tricked into loading a DLL from an unexpected, potentially attacker-controlled directory instead of the intended system path [1]. This occurs because the .NET runtime does not sufficiently restrict the search path or validate the origin of DLLs it loads, allowing a specially crafted DLL placed in an alternate location to be loaded into the process [1].

Exploitation

To exploit this vulnerability, an attacker would need to place a malicious DLL in a directory that the .NET runtime searches before the legitimate system path. On Windows, the DLL search order can be influenced by placing a file in the current working directory, the application directory, or any directory in the PATH environment variable that appears before the target directory. The attack does not require authentication, but the attacker must have some mechanism to deliver the malicious DLL to the victim's system—for example, by enticing the user to open a file from a network share or a web download that places the DLL in a location searched by the runtime [1]. The vulnerability is classified as remote code execution because the malicious DLL can be delivered remotely (e.g., via a website or email attachment), and when the .NET application loads the runtime DLL, the attacker's code executes within the context of the application [1].

Impact

Successful exploitation grants the attacker arbitrary code execution at the privilege level of the .NET application. Depending on the application's configuration, this could lead to full system compromise, data theft, or installation of malware. The CVSS score is not provided in the references, but the impact is rated as high by Microsoft, consistent with remote code execution vulnerabilities [1][2].

Mitigation

Microsoft has released updates for .NET 6.0 and .NET 7.0 to address this vulnerability. Users should update to .NET 6.0.16 (or later) and .NET 7.0.5 (or later) to obtain the fix [1]. Developers are advised to ensure their applications are rebuilt and redeployed with the patched runtime. No mitigations have been identified by Microsoft; installation of the latest .NET version is the recommended course of action [1].