A persistent vulnerability related to DLL hijacking has been identified in the Narrator accessibility tool, which has been a significant concern over time.
This flaw allows malicious actors to exploit the tool, potentially compromising the security of systems that rely on it for accessibility features.
Noted initially in reports dating back to 2013 by expert Hexacorn, the flaw persists in modern Windows 10 and 11 versions, allowing attackers with local administrator privileges to achieve stealthy code execution, system persistence, and even remote lateral movement.
TrustedSec discovery, inspired by mining tactics from VX-Underground repositories, highlights how everyday accessibility features can be weaponized for malicious ends.
The technique exploits Narrator.exe’s loading of the MSTTSLocOneCoreEnUS.dll from the path %windir%\system32\speech_onecore\engines\tts.
By replacing this DLL with a malicious version, attackers can execute arbitrary code upon Narrator launch, without requiring any exports.
The DLL’s DllMain attach function triggers the payload, but researchers refined it to suspend Narrator’s main thread, silencing the tool’s voice output and preventing visual cues that could alert users.
A proof-of-concept on GitHub demonstrates this evasion, freezing Narrator while running custom code undetected.
Attackers can embed this hijack to automatically execute at logon by modifying the registry.
Under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility, creating a REG_SZ value named “configuration” set to “Narrator” triggers the DLL on user login.
TrustedSec tests confirmed seamless persistence post-logoff, with the malicious DLL loading silently. This method requires no elevated privileges beyond initial access, making it ideal for maintaining footholds in user contexts.
For broader impact, the technique extends to SYSTEM-level persistence by applying the same registry change under HKLM, launching Narrator at the login screen with elevated privileges.
Lateral movement adds another layer: attackers with remote registry access via tools like Impacket can deploy the DLL and alter HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer to 0.
RDP connection to the target then allows triggering Narrator via Ctrl+Win+Enter at login, executing the payload as SYSTEM before the session closes, forcing quick process migration for sustained access.
Researchers also demonstrated “Bring Your Own Accessibility,” crafting custom accessibility tools (ATs) via registry exports and imports, pointing to arbitrary executables, even UNC network paths for remote payload delivery.
Triggering via ATBroker.exe /start further enhances flexibility. While no CVE has been assigned yet, this underscores the risks of unpatched legacy behaviors in accessibility features, urging organizations to monitor registry changes and DLL paths rigorously.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
APT24, a sophisticated cyber espionage group linked to China's People's Republic, has launched a relentless…
The Cl0p ransomware group has claimed responsibility for infiltrating Broadcom's internal systems as part of…
Grafana Labs has disclosed a critical security vulnerability affecting Grafana Enterprise that could allow attackers…
A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers…
Microsoft has introduced a practical new feature in Windows 11 designed specifically for public-facing monitors…
SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That…