Archived security papers and articles in various languages.
# Visit http://digitalacropolis.us/?p=113 to see a html version of this paper # ---------------------------------------------------------------------------- # Title: Exploiting DLL Hijack in the real world # Date: 27/08/2010 # Author: Bruno Filipe (diwr) - bmilreuatgmail.com # ---------------------------------------------------------------------------- Dll hijacking is the new hype on Windows exploiting. This vulnerability is caused by a misbehavior practiced by all versions of Windows, as far as I’m concerned. This misbehavior can be found explained in this MSDN page <link at bottom> (see Remarks). Note that many people consider this flaw a feature and not a real bug because it was intended to be made this way by Microsoft. I strongly disagree as I can’t think of a single legitimate usage of a dll being loaded from the same directory of a opened file. I won’t go into minor details about this issue, as they can be found in reference links at the bottom of this article. I recommend reading them first if you don’t know what Dll Hijacking is. Basically, it works by creating a custom malicious dll and putting it in the same directory of a clean file. When this clean file is opened by a vulnerable application, your custom dll will be loaded and your code executed. This malicious dll must have specific filenames for each vulnerable application, which can be discovered using any simple debugging tool. There are vulnerabilities in many major programs, so it’s possible to bundle a dll with almost any filetype, like pdf, html, jpg, mp3, avi, ANYTHING. Even some programs included with Windows are vulnerable. Peter Eeckhoute from corelan team started an unofficial list that you might want to check <link at bottom>. You’re almost certainly using many exploitable applications so it’s a must to check there if you use Windows regardless of it’s version or edition. This is a major security issue that affects every Windows version and cannot be patched universally as it would break many existing applications. Inside this article I’ll also provide some tips about how you can try to protect yourself and your network. There’s no bullet-proof solution at this moment but you can certainly avoid getting exploited in many cases. This article is focused on showing how this flaw can be exploited in a real world scenario from an attacker’s side. This is important because there are many possible attack vectors that can be used either making use of another vulnerability or even some simple social engineering. I’ll explain some of them and how can be possibly avoided by an user or sysadmin. * Using a SMB/WebDav shared folder This is perhaps the most common way dll hijacking is being used, probably because it can be exploited remotely. There are already a module for Metasploit which uses this vector. It works by putting together a malicious dll and a clean file that triggers it inside a share and then making your target open this clean file. Remember a shared folder link always starts with double slashes like \\126.96.36.1990. Real world examples: 1. Attacker sends a shared folder link to a victim. Victim opens and sees some .html files and double-clicks one of them. When a vulnerable browser or application opens this file it loads a dll directly from this share, and victim is now infected. 2. Attacker posts a link in a forum that looks like a http link but redirects victim to a shared folder. Victim opens a simple .pdf file and gets infected. 3. Attacker gains access to a trusty website and puts iframes or redirects to his share. Victim trusts this site and opens a mp3 file inside the shared folder and… gets infected as well. 4. Attacker uses the .lnk bug or any browser vulnerability together with any of above examples and thus increase his infect rate. Tip: This kind of attack can be neutralized blocking any outbound connection to a smb/webdav share. Ports are 445 and 135. * A compressed package (.zip, .tar.gz, .rar etc) This vector can be exploited by putting together a bunch of clean files and a malicious dll inside a compressed folder/package. Target will extract these files and open one of them, getting attacker’s dll loaded. Real world example: 1. Attacker compresses 30 jpg pictures and a dll in a zip file. Victim extracts everything to a folder and double-clicks one of the pictures. Infected. I won’t provide any other example of this because it’d look the same. Tip: Before opening any kind of file, specially downloaded from the internet, check if there’s any dll file in the same directory. Don’t forget to enable show hidden files and show all extensions on your Folder Options. It’s also recommended to move only the files you need to open to another directory created by you. This should make you safe. * Torrents This one is kinda nasty and can be very effective to contaminate large amounts of people. A torrent can contain large numbers of files and can be used to get a malicious dll downloaded together with clean files without being noticed. This is very dangerous, specially if a big torrent tracker or database can be compromised. Real world examples: 1. Attacker posts a custom torrent in a public tracker, which contains a pack of mp3′s and a malicious dll. Victim goes listen it’s new song album and get infected. 2. Attacker gains admin access to a torrent database (this actually happened to ThePirateBay not so long ago) and changes a legitimate high-traffic torrent for a infected one. This could cause a massive infection in a matter of minutes. Tip: Same tip as above. Make sure there are no dlls in the current folder before opening any kind of file. If you own a tracker or database make sure your webserver and/or database are not vulnerable to any kind of vulnerability like SQL injections, XSS etc. * Exploiting multiple application hijacks We have not seen yet a real world malware that uses dll hijacks to it’s max but one of the ways attackers can (and will) use to increase their success rate is putting multiple dlls to exploit the same filetype. Real world example: * Attacker shares a folder which contains a bunch of .avi files and three malicious dlls: one for VLC, other for MediaPlayer Classic and, finally, the last one for Winamp. Attacker can now exploit three apps in the same attack, increasing the chance of victim getting infected. These are just some of the many ways we might seem this breach being exploited in real world in a very near future. You might wanna check all vulnerable apps and discover your own way or you can also try to discover your own vulnerable apps using this kit, provided by HD Moore (creator of Metasploit) <link at bottom>. - Bruno Filipe (diwr) Links: [MSDN page] http://msdn.microsoft.com/en-us/library/ms686203%28VS.85%29.aspx [hdm’s DLL Hijack Audition kit and instructions] http://blog.metasploit.com/2010/08/better-faster-stronger.html [Rapid7 Blog advisory about DLL Hijacking flaw] http://blog.rapid7.com/?p=5325 [Corelan blog – Unofficial list of vulnerable apps] http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/ [exploit-db list of vulnerable apps] http://www.exploit-db.com/dll-hijacking-vulnerable-applications/ [Sample DreamWeaver CS5 exploit] http://www.exploit-db.com/exploits/14740/