Vulnerabilities / Threats
10/28/2010
12:29 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Windows Still Vulnerable To DLL Hijacking

Even patched applications aren't safe from bug, says ACROS security researcher.

Image Slideshow: Windows 7 Revealed
(click image for larger view)
Slideshow: Windows 7 Revealed

Even patched Windows applications remain vulnerable to dynamic link library (DLL) hijacking -- aka DLL planting and DLL loading -- attacks due to the erratic way in which Windows attempts to load DLLs.

That warning comes from a security advisory released on Wednesday by ACROS Security.

How can attackers take advantage of the DLL vulnerability? According to Microsoft: "When an application dynamically loads a dynamic link library (DLL) without specifying a fully qualified path name, Windows tries to locate the DLL by searching a well-defined set of directories. If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting." As a result, attackers can execute arbitrary code using the current user's access level.

To help developers code applications that avoid this DLL-hijacking vulnerability, Microsoft had released SetDllDirectory. This function allows developers to eliminate the current working directory from Windows DLL searches, to frustrate attackers who might otherwise use that directory to hide malicious DLL files.

But developers can't rely on SetDllDirectory, because it behaves erratically, at least on Windows XP Professional 32 bit, Windows Vista Business 32 and 64 bit, and Windows 7 Professional 32 bit, said Mitja Kolsek, CEO of Acros Security.

The issue is that Windows often botches relative file location searches. "Until Microsoft fixes this bug, any application that sets user or system path can unwittingly make your application vulnerable to binary planting if you're loading libraries from relative paths," he said. Furthermore, even when developers write absolute paths, Windows may still treat them as relative ones, or alter other important variables after users log off and log back in.

To help, Kolsek urged developers to "use absolute, fully qualified paths to DLLs when loading them." While that won't block every type of DLL-hijacking attack, it will mitigate many of them.

Note that Microsoft's current DLL-hijacking hotfix does still work, at least against certain types of attacks. "This hotfix successfully blocks DLL loads from the current working directory if configured properly, even if relative locations are found in the PATH," said Kolsek. That said, it will not block executable files from exploiting the DLL hijacking vulnerability. To date, according to Secunia, a vulnerability information provider, 211 applications are vulnerable to DLL-hijacking attacks. So far, however, only 25 have been patched.

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
All Videos
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.
UPCOMING!
Wednesday, September 3, 1pm EDT

The Best of the Rest of Black Hat: The Best for Last?
FULL SCHEDULE | ARCHIVED SHOWS