Windows Binary Planting DLL Preloading/Hijacking Bug

Use Netsparker


The big news that is turning the infosec world inside out this week is about a new DLL pre-loading/hijacking bug which effects more than 200 Windows applications including some produced by Microsoft itself.

The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This of course can and is being abused.

The big problem with is the fact that it can’t really be patched by Microsoft, each vulnerable application vendor needs to issue an update to their applications to fix the way in which they deal with DLL files.

The Microsoft Security Response Center has written about the issue here:

Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.

Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately.

More information about the DLL Preloading remote attack vector

Microsoft also has published some Registry tweaks which can change the default DLL library search behaviour (downloads are available for each version of Windows):

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Microsoft and quite a few other researchers have known about this for some time and have stated they won’t be patching it but will be looking at ways to address it in future versions of Windows.

MIcrosoft has told a researcher that it won’t patch a problem that has left scores of Windows applications open to attack. According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft’s, leaving a large number of Windows programs vulnerable to attack because of the way they load components.

The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications , including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.

Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.

Microsoft won’t patch critical DLL loading bugs

The attack code was posted yesterday to the Exploit Database. It included exploits for the Wireshark packet sniffer, Windows Live email and Microsoft MovieMaker, in addition to those for the most recent versions of Firefox, uTorrent and PowerPoint.

Some more info is available here:

Microsoft Binary Planting Bug: What You Need to Know

If you want to scan your own system you can do so here:

DLLHijackAuditKit v2

It includes complete instructions and the steps to scan for vulnerable apps, build test cases for each application and assemble an exploit.

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


4 Responses to Windows Binary Planting DLL Preloading/Hijacking Bug

  1. droope August 25, 2010 at 1:36 pm #

    Isn’t this like saying PHP is vulnerable because of mysql injection and XSS?

    • Darknet August 25, 2010 at 5:10 pm #

      You could equate it to that as it’s not technically a Windows flaw but a flaw in the architecture combined with sloppy programming. Not exactly like SQL Injection as that can be carried out in ASP/JSP/PHP etc and isn’t language or architecture specific.

      • droope August 25, 2010 at 7:53 pm #

        thanks for your reply

  2. anony August 26, 2010 at 8:25 am #

    DLL Hijacking isn’t new, it had been around since 2002 or earlier. What’s new is HD Moore’s tool that automatically exploits this.