An enduring vulnerability associated with DLL hijacking has resurfaced within the Narrator accessibility tool, provoking considerable alarm among cybersecurity experts.
This defect permits nefarious individuals to exploit the tool, thereby jeopardizing the security protocols of systems that depend on it for accessibility functionalities.
Originally flagged in 2013 by the specialist Hexacorn, this vulnerability continues to exist in modern versions of Windows 10 and 11, enabling attackers with local administrator privileges to execute covert code, achieve system persistence, and facilitate remote lateral movement.
Recent investigations by TrustedSec, inspired by methodologies drawn from VX-Underground repositories, shed light on how commonplace accessibility features can be weaponized for malevolent purposes.
The technique capitalizes on Narrator.exe’s loading of MSTTSLocOneCoreEnUS.dll from the directory %windir%\system32\speech_onecore\engines\tts.
By substituting this DLL with a malevolent counterpart, attackers can initiate arbitrary code execution as soon as Narrator is launched, circumventing the need for any exports.
The DLL’s DllMain attach function activates the payload; however, researchers have refined this tactic to suspend the main thread of Narrator, thereby muting the tool’s audio output and eliminating visual indicators that might alert users.
A proof-of-concept available on GitHub illustrates this evasion, maintaining Narrator in a frozen state while executing custom code clandestinely.
User-Level Persistence via Registry Modifications
Attackers can embed this hijacking technique to ensure automatic execution upon user logon by altering registry settings.
Specifically, under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility, the creation of a REG_SZ value labeled “configuration” set to “Narrator” initiates the DLL upon user login.
TrustedSec confirmed through tests that this method allows seamless persistence following logoff, with the malicious DLL silencing loading in the background.
The accessibility of this method requires no elevated privileges beyond the initial breach, presenting an ideal mechanism for maintaining persistence within user environments.
Furthermore, the technique can extend to SYSTEM-level persistence by implementing the same registry modifications under HKLM, thus launching Narrator at the login interface with elevated privileges.
Lateral movement complicates matters further: attackers possessing remote registry access via utilities like Impacket can deploy the DLL and adjust HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer to 0.
Subsequent RDP connections to the target facilitate triggering Narrator using Ctrl+Win+Enter at login, executing the malicious payload as SYSTEM before the user session concludes, ensuring rapid process migration for prolonged access.
Researchers have also showcased a novel approach termed “Bring Your Own Accessibility,” constructing bespoke accessibility tools through registry exports and imports, which link to arbitrary executables, including UNC network paths for remote payload delivery.
Activation via ATBroker.exe /start further enhances user flexibility. While an official CVE has not yet been assigned, this scenario underscores the inherent risks of unmitigated legacy behaviors within accessibility features, prompting organizations to vigilantly monitor registry alterations and DLL pathways.
Stay informed by following us on Google News, LinkedIn, and X for daily updates on cybersecurity. We invite you to contact us to feature your stories.
Source link: Cybersecuritynews.com.
