@April 8, 2022
Notion.exe loads quite a few DLLs that are not found in the default install directory of the app itself. It also loads a few that can be outright replaced with a malicious DLL. So the mechanics of the hijack work completely fine.
TL;DR on finding a hijackable DLL: using Procmon, filter for “Path contains dll and Result contains NOT FOUND” and select from the ones that show up when you launch the app.
Or, you can do what I did here, and simply yeet one of the DLLs in the app with reckless abandon and swap it with a Cobalt Strike beacon. Hope that doesn’t do too much damage to the app.
The absolute best possible scenario is to find a DLL that is listed as NAME NOT FOUND and never resolves to another location on disk. If this happens, you have a blank check.
DLL proxying can be used here to minimize the potential issues with DLL hijacking, but that’s outside the scope of this little experiment. Check out my article on this for more info:
So DLL hijacking is not the issue.
It’s what happens next that messes things up. I think the Notion application makes use of application sandboxing:
Why do I say this? Well, turns out that when you hijack a Notion.exe DLL, your beacon spawns as soon as someone opens the app. Awesome! And even better, if your beacon dies, the app loads the DLL again and a new one spawns as long as the Notion.exe process is still running. Sweet!
As a red teamer, things are looking good!
But then...
The beacon can’t invoke cmd.exe to run any commands! The ps command can still be used to invoke the API to check the process list, but there’s only a single process:
Notion.exe
Furthermore, this beacon can’t see anything in the file system!
All signs point to the Notion app being sandboxed. Bravo, Notion devs! You made my life as a red teamer more difficult.
Interestingly, I was able to inject into the same process and spawn a TCP and SMB beacon... in the exact same process context. No ground gained!
Some thoughts on where to go from here:
- This process must have some kind of access to the rest of the OS in order to perform its routine activities. Perhaps inspecting the command line args when this process is launched would be enlightening.
- If there’s some kind of command injection capability, it might be possible to escape the sandbox. But I admit this is a bit over my head.
I’d love to hear if anyone has run into anything like this before and found a way around it.
More to follow.
-Husky
— — — — — — > Back to Notes
🌐 Where You Can Find Me
🐦 Twitter | 📡 Main Blog | 👽 GitHub | 📺 YouTube
📒Recent Notes
8/30/22 Content Creators, I Will Teach You Cyber Jiu-Jitsu
8/12/22 The Responsible Red Teamer’s Manifesto
7/30/22 On Patching Binaries
7/16/22 MS-Interloper: On the Subject of Malicious MSIs
4/22/22 Failing All The Way To Token Manipulation, Part 1
4/16/22 COM Hijacking Creative Cloud
