version.dll strikes again

DLL Hijacking in WhatsApp Desktop, Microsoft Windows.

When version.dll is planted in c:\Users\%username%\appdata\local\whatsapp\ you will receive a shell every time WhatsApp is launched by the user, when the computer starts and when the user tries to uninstall it.

many malware will take advantage of DLL preloading vulnerabilities, but many vendor are of the mind-set that if they are already in, they are already in, perhaps this softens the blow of them facilitating malware and potentially ensuring infection longevity.

I say, it's exploitable, there may be other routes to plant these files, don't afford known opportunities and null any unknown opportunities.

PoC:

https://www.youtube.com/embed/o7oOYNz-Aws


Resources: