dtimage.exe security issue fixed in dtSearch 7.77

Article: dts0235

Applies to: dtSearch Desktop/Network versions 7.76 and earlier

Component affected

dtimage.exe is used in dtSearch Desktop/Network to implement the "View as Image" function. It uses a third-party image viewing component, imgman32.dll, to display images associated with text files such as original TIFF and JPG images of OCR text files. The dtimage.exe and imgman32.dll components are not used in dtSearch Publish, dtSearch Web, or by any redistributable dtSearch Engine components.

When viewing a text file in dtSearch Desktop/Network, you can click View > View as Image to have dtSearch locate one or more image files with the same base name as the text file. When "View as Image" is clicked, dtSearch Desktop invokes dtimage.exe to open the images.

Security issue

A security researcher has reported a possible DLL planting vulnerability affecting the imgman32.dll component. dtSearch Corp. has advised the vendor of the third-party component of the report and has received an updated version of the component that fixes the possible vulnerability. The following is based on preliminary information we have received. We will update this article when the vendor has published a detailed description of the vulnerability.

According to the security researcher, the vulnerability potentially affects imgman32.dll in cases where (1) a user is tricked into opening an image file that is (2) in the same folder as a maliciously-created DLL, and (3) the mechanism used to open the image causes the third-party library to load the maliciously-created DLL because the current working directory has been changed to the location of the malicious DLL.

As imgman32.dll is used in dtSearch, the vulnerability could be exploited as follows: (1) an end-user opens the dtimage.exe program, either by clicking "View as Image" in dtSearch Desktop or by opening dtimage.exe from Windows Explorer; (2) the user clicks File > Open in dtimage.exe to open a new image file; (3) the user navigates in the File Open dialog box to a folder containing both an image file and a maliciously-created DLL; (4) the user selects the image file.

dtSearch Desktop always launches dtimage.exe with the current working directory set to the location of the dtSearch program files. Therefore, we do not believe that it is possible for the vulnerability to be exploited merely by invoking the "View as Image" function within dtSearch Desktop. Other additional manual steps, such as those enumerated above, would be required.

dtimage.exe is not associated with any filename extensions so it cannot be invoked by clicking on links in a web browser or clicking on files in Windows Explorer.

Recommended update

dtSearch Corp. recommends that all users upgrade to version 7.77 to eliminate the potential vulnerability. To obtain the update, run dtSearch Desktop and click Help > Check for Updates > Check Now.

dtSearch 7.77 removes dtimage.exe, imgman32.dll, and related components from the dtSearch installation, disabling the "View as Image" function.