25 August 2010 | 10,622 views

Windows Binary Planting DLL Preloading/Hijacking Bug

Check For Vulnerabilities with Acunetix

The big news that is turning the infosec world inside out this week is about a new DLL pre-loading/hijacking bug which effects more than 200 Windows applications including some produced by Microsoft itself.

The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This of course can and is being abused.

The big problem with is the fact that it can’t really be patched by Microsoft, each vulnerable application vendor needs to issue an update to their applications to fix the way in which they deal with DLL files.

The Microsoft Security Response Center has written about the issue here:

Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.

Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately.

More information about the DLL Preloading remote attack vector

Microsoft also has published some Registry tweaks which can change the default DLL library search behaviour (downloads are available for each version of Windows):

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Microsoft and quite a few other researchers have known about this for some time and have stated they won’t be patching it but will be looking at ways to address it in future versions of Windows.

MIcrosoft has told a researcher that it won’t patch a problem that has left scores of Windows applications open to attack. According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft’s, leaving a large number of Windows programs vulnerable to attack because of the way they load components.

The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications , including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.

Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.

Microsoft won’t patch critical DLL loading bugs

The attack code was posted yesterday to the Exploit Database. It included exploits for the Wireshark packet sniffer, Windows Live email and Microsoft MovieMaker, in addition to those for the most recent versions of Firefox, uTorrent and PowerPoint.

Some more info is available here:

Microsoft Binary Planting Bug: What You Need to Know

If you want to scan your own system you can do so here:

DLLHijackAuditKit v2

It includes complete instructions and the steps to scan for vulnerable apps, build test cases for each application and assemble an exploit.



Recent in Exploits/Vulnerabilities:
- Sony Pictures Hacked – Employee Details & Movies Leaked
- Gruyere – Learn Web Application Exploits & Defenses
- Critical XSS Flaw Affects WordPress 3.9.2 And Earlier

Related Posts:
- DllHijackAuditor – Free Audit Tool For DLL Hijack Vulnerability
- FLARE – Flash Decompiler to Extract ActionScript
- eEye Binary Diffing Suite (EBDS)

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 228,495 views
- AJAX: Is your application secure enough? - 119,243 views
- eEye Launches 0-Day Exploit Tracker - 85,118 views

Low-cost VPS Hosting

4 Responses to “Windows Binary Planting DLL Preloading/Hijacking Bug”

  1. droope 25 August 2010 at 1:36 pm Permalink

    Isn’t this like saying PHP is vulnerable because of mysql injection and XSS?

    • Darknet 25 August 2010 at 5:10 pm Permalink

      You could equate it to that as it’s not technically a Windows flaw but a flaw in the architecture combined with sloppy programming. Not exactly like SQL Injection as that can be carried out in ASP/JSP/PHP etc and isn’t language or architecture specific.

  2. anony 26 August 2010 at 8:25 am Permalink

    DLL Hijacking isn’t new, it had been around since 2002 or earlier. What’s new is HD Moore’s tool that automatically exploits this.