Public disclosure https://www.internetdownloadmanager.com/
Status : Not fixed (Latest version)
A simple DLL Hijhack vuln that I found while I was bored & had some time. (Played with the installer of IDM in a debugger) This potentially allows any malicious actor to run his code inside a signed process of IDM (Abuse of certificate) to bypass call chain detections of AV's.
Steps to reproduce:
- Open IDM Installer
- Breakpoint CreateFileW/DeleteFileW
- Notice that the installer extracts quite a lot of files under this folder: C:\Users%username%\AppData\Local\Temp\IDM_Setup_Temp
IDM5.tmp is the file that we will be exploiting.. (x86 file)
4.Open IDM5.TMP
5.Breakpoint LoadLibraryW
6.Run IDM5.TMP
Ofc at this point you can simply figure out that we will be targetting the "idmvs.dll" file ;)
We can see that the file has some sanity checks for exports after it has done loading "idmvs.dll" - On the attackers side it can be easily bypassed by faking exports on a malicious dll.
Let's scroll up and see what happens before the loading of "idmvs.dll"
We can see a call to "GetFileAttributes". Basically what happens is that the file does a simple sanity check to see if the "idmvs.dll" file exists, if that is the case it continues to check the signature of the file. If it doesn't it skips that part and still loads the library.
Entire Logic (In psuedo code):
.... Run IDM05.TMP
- GetFileAttributes (..idmvs.dll path)
- If (File exists (..idmvs.dll path) CheckIfSignatureIsValid(..idmvs.dll path)
LoadLibraryW(...idmvs.dll path)
Why is this logic flawed and exploitable?
If the file doesn't exist at the time of the check there will be no signature check enforced but the DLL will still be loaded. This is a classic race condition that can be abused by attackers.
- Attacker downloads the "IDM5.tmp" from some remote server
- Runs it and hijhacks "idmvs.dll"
- Executes malicious code under a signed process (Of the company TONEC)
- Profit? ..
Picture of hijhack:
How to fix?
Loading of the library shall only happen if the file exists and it has passed the test.


