CyFox vs Stremio - a primer in risk perception and discussion on vulnerability findings

CyFox, a cybersecurity research firm, has recently reported what they claim is a critical hijacking vulnerability within Stremio 4.4. Stremio pushed back on the findings provided by CyFox in terms of severity of the attack. While we don't have a horse in the proverbial race between CyFox and Stremio, this event is an excellent example of perspectives of risk and the need for common understanding.

Stremio is a widely used software platform for streaming movies and TV shows that emphasises it's security and privacy focus. As Stremio boasts over 5 million users who rely on the platform for their entertainment needs, this vulnerability seems to pose a significant risk to their cyber awareness and data security.

We will summarize both arguments, and we will try to provide a sincere (if somewhat insulting) perspective on the interests of both parties. A good common understanding of risks and interests of security researchers and vendors helps avoid panic modes as well as ignoring a legitimate threat.

How do I use this information?
Learn more about the different perspectives of a risk finding. Whether you are on the side of discovery of a vulnerability or the side that produces the software that has been found to be vulnerable, make a reasonable discussion and if needed argumented pushback to get to the proper risk perspective and reasonable remediation plan.

What is the problem that CyFox has discovered?
Stremio relies heavily on DLLs (Dynamic Link Libraries), a crucial component of Windows and many applications that enable a modular approach to software development, encouraging code reuse and accessing shared functions and resources for smooth operation.

CyFox termed the vulnerability an "Application Directory DLL Planting," and allows attackers to exploit DLL (Dynamic Link Library) hijacking.

What is DLL Hijacking?
DLL hijacking is a cyber threat where malicious actors exploit insecurely loaded Dynamic Link Library files in software applications to execute unauthorized code and gain control over the targeted system.

Let's say there is a vulnerable application, "ExampleApp," that loads a Dynamic Link Library (DLL) called "vulnerable.dll" to perform certain functions. The application does not specify the full path of the DLL, relying on the default search order to locate it. An attacker places a malicious DLL named "malicious.dll" in a location where the application will search for DLLs before the intended "vulnerable.dll."

When a user runs "ExampleApp," it unknowingly loads "malicious.dll" instead of "vulnerable.dll" because the application finds the attacker's DLL first due to the default search order. As a result, the attacker's code executes instead of the intended functionality of "vulnerable.dll." This allows the attacker to gain unauthorized access, steal sensitive data, or perform other malicious actions on the system.

How does this vulnerability work in Stremio?
Per the report from CyFox the vulnerability in Stremio arises from the use of two Windows API functions, LoadLibraryA and LoadLibraryExA, with the latter offering attackers the opportunity to plant malicious DLLs in the application directory, leading to unauthorized code execution.

In their research, CyFox identified four vulnerable DLL files within Stremio: SspiCli.dll, RTWorkQ.dll, profapi.dll, and UMPDC.dll. To highlight the severity of this vulnerability, the researchers successfully obtained a reverse shell on the remote target using msfvenom.

Attackers can exploit DLL hijacking in Stremio to achieve several malicious objectives, including:

1. Remote Code Execution: By substituting legitimate DLLs with malicious ones, attackers can execute code remotely, gaining unauthorized access and potentially stealing sensitive data.
2. Privilege Escalation: If an application with elevated privileges loads a vulnerable DLL from an untrusted location, attackers can execute code with elevated privileges, bypassing security controls.
3. Information Theft: Attackers can intercept and manipulate sensitive data passing through the hijacked DLL, allowing them to steal login credentials and confidential information.
4. System Compromise: This vulnerability can serve as an entry point for attackers to gain broader access to the system and potentially establish persistent backdoors.

How bad is it really?
Stremio has strongly denied the severity of the finding of CyFox and asserts that their software remains secure.

Per the response from Stremio CyFox report highlights an exploit involving DLL hijacking or planting, but Stremio contests the seriousness of the issue. According to Stremio, a successful attack requires:

1. An initial unauthorized access to the victim's computer;
2. Focus on exploiting specifically Stremio in the victim's computer, where other more commonly used applications processing more sensitive data could be attacked as well.
3. In order for privilege escalation to work, the user would need to run Stremio as admin and the application does not require admin rights to function on Windows.
4. The vulnerability in question is seen as poor design at the level of the operating system.

What's going on right now?
Despite the dispute, CyFox published its report on their website and approached cyber security blogs to disseminate their findings. Interestingly enough, there is no published CVE vulnerability with a CVSS score calculation.
Several security blogs have refused to publish the issue as a vulnerability, while others have updated the news to stress that the issue is a common windows application problem.

Who is correct?
As usual, the truth is somewhere in the middle.

• CyFox wants to represent themselves as a great cybersecurity team to drum up it's business, so a critical severity finding is a great reference for them.
• Stremio wants customers to continue trusting them that they have produced secure software and also doesn't really want to burn too much time fixing an issue that they think is marginal.

For a user, the issue is real, but it's not a cause for panic. CyFox can claim the badge of a finding, but not a critical one. Exploiting would first require a windows device compromise, which opens a lot more opportunities to an attacker than just Stremio.
Even if the target is just Stremio, the CVSS3 severity Score is in the range of 7.3 - 7.4 at most, so not critical.

On the other hand, Stremio can implement several techniques to avoid DLL hijacking as development best practices, like using fully qualified paths to DLL, setting secure DLL search paths, and enabling safe DLL loading, among others.