The big news that is turning the infosec world inside out this week is about a new DLL pre-loading/hijacking bug which effects more than 200 Windows applications including some produced by Microsoft itself.
The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This of course can and is being abused.
The big problem with is the fact that it can’t really be patched by Microsoft, each vulnerable application vendor needs to issue an update to their applications to fix the way in which they deal with DLL files.
The Microsoft Security Response Center has written about the issue here:
Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately.
More information about the DLL Preloading remote attack vector
Microsoft also has published some Registry tweaks which can change the default DLL library search behaviour (downloads are available for each version of Windows):
A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm
Microsoft and quite a few other researchers have known about this for some time and have stated they won’t be patching it but will be looking at ways to address it in future versions of Windows.
MIcrosoft has told a researcher that it won’t patch a problem that has left scores of Windows applications open to attack. According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft’s, leaving a large number of Windows programs vulnerable to attack because of the way they load components.
The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications , including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.
Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.
Microsoft won’t patch critical DLL loading bugs
The attack code was posted yesterday to the Exploit Database. It included exploits for the Wireshark packet sniffer, Windows Live email and Microsoft MovieMaker, in addition to those for the most recent versions of Firefox, uTorrent and PowerPoint.
Some more info is available here:
Microsoft Binary Planting Bug: What You Need to Know
If you want to scan your own system you can do so here:
It includes complete instructions and the steps to scan for vulnerable apps, build test cases for each application and assemble an exploit.
droope says
Isn’t this like saying PHP is vulnerable because of mysql injection and XSS?
Darknet says
You could equate it to that as it’s not technically a Windows flaw but a flaw in the architecture combined with sloppy programming. Not exactly like SQL Injection as that can be carried out in ASP/JSP/PHP etc and isn’t language or architecture specific.
droope says
thanks for your reply
anony says
DLL Hijacking isn’t new, it had been around since 2002 or earlier. What’s new is HD Moore’s tool that automatically exploits this.