VMWare Horizon 5.4 DLL Hijacking

VMWare Horizon client version 5.4 suffers from a dll hijacking vulnerability.

MD5 | c00ff52553fc03783e70e427c0ab7515

# Exploit Title: [vmware horizon client 5.4 - DLL Hijacking]
# Date: [date]
# Discoverer: [Owais Mehtab, Tayeeb Rana]
# Vendor Homepage: [https://vmware.com]
# Software Link: [https://my.vmware.com/web/vmware/details?productId=331&downloadGroup=VIEWCLIENTS_WIN64_540]
# Version: [5.4]
# Tested on: [Win7 Sp1]

VMWare Horizon Client 5.4 other versions may also be affected

The application suffers from dll hijacking vulneravbility since it looks for a dll named Trutil.dll without explicitly calling it from absolute path


create a malicious dll and place it under the vmware horizon client installation folder or any folder that is defined in PATH variable named as Trutil.Dll

Now wait for service/application to start to get shell.

Related Posts