CVE-2024-48091
📋 TL;DR
Tally Prime Edit Log v2.1 contains a DLL hijacking vulnerability in TextShaping.dll that allows attackers to execute arbitrary code by placing a malicious DLL in a location where the application searches for it. This affects users running Tally Prime Edit Log v2.1 on Windows systems. Attackers could gain control of affected systems if they can place malicious files in accessible directories.
💻 Affected Systems
- Tally Prime Edit Log
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining administrative privileges, data theft, ransomware deployment, and persistent backdoor installation.
Likely Case
Local privilege escalation or code execution in the context of the user running Tally Prime Edit Log, potentially leading to lateral movement within the network.
If Mitigated
Limited impact due to restricted file permissions, application sandboxing, or user running with minimal privileges.
🎯 Exploit Status
Exploitation requires local access or ability to write to directories the application searches. DLL hijacking is a well-known technique but specific exploit details aren't publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Tally Solutions for latest version
Vendor Advisory: https://tallysolutions.com/download/
Restart Required: No
Instructions:
1. Visit https://tallysolutions.com/download/ 2. Download latest version of Tally Prime Edit Log 3. Install update 4. Verify TextShaping.dll is properly signed and located in correct directory
🔧 Temporary Workarounds
Restrict DLL search paths
WindowsUse application control policies to restrict where Tally Prime Edit Log can load DLLs from
Set secure DLL search order
WindowsConfigure Windows to use SafeDllSearchMode to prevent loading DLLs from current directory
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Restrict file permissions to prevent unauthorized users from writing to application directories
- Run Tally Prime Edit Log with minimal user privileges to limit impact of successful exploitation
🔍 How to Verify
Check if Vulnerable:
Check if Tally Prime Edit Log v2.1 is installed and if TextShaping.dll can be replaced in application directoriesCheck Version:
Check application properties or About dialog in Tally Prime Edit LogVerify Fix Applied:
Verify installed version is newer than v2.1 and check DLL signatures/hashes📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loading events in Windows Event Logs (Security/System)
- Process creation from Tally Prime Edit Log with unusual parent processes
Network Indicators:
- Unusual outbound connections from Tally Prime Edit Log process
SIEM Query:
Process creation where parent process contains 'tally' AND (command line contains unusual DLL paths OR image loaded from unusual locations)