cve/2020/CVE-2020-13110.md

CVE-2020-13110

Description

The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because of a DLL path search.

POC

Reference

• https://medium.com/@kiddo_Ha3ker/dll-injection-attack-in-kerberos-npm-package-cb4b32031cd
• https://medium.com/@kiddo_Ha3ker/dll-injection-attack-in-kerberos-npm-package-cb4b32031cd
• https://www.op-c.net/2020/05/15/dll-injection-attack-in-kerberos-npm-package/
• https://www.op-c.net/2020/05/15/dll-injection-attack-in-kerberos-npm-package/

Github

• https://github.com/ARPSyndicate/cvemon