Exploiting dll hijack in real world

[Nytro]

# Visit Exploiting DLL Hijack in the real world to see a html version of this paper

# ----------------------------------------------------------------------------

# Title: Exploiting DLL Hijack in the real world

# Date: 27/08/2010

# Author: Bruno Filipe (diwr) - bmilreu[]at[]gmail.com

# ----------------------------------------------------------------------------

Dll hijacking is the new hype on Windows exploiting. This vulnerability

is caused by a misbehavior practiced by all versions of Windows, as far

as I’m concerned. This misbehavior can be found explained in this MSDN

page <link at bottom> (see Remarks). Note that many people consider this

flaw a feature and not a real bug because it was intended to be made this way

by Microsoft. I strongly disagree as I can’t think of a single legitimate

usage of a dll being loaded from the same directory of a opened file.

I won’t go into minor details about this issue, as they can be found in

reference links at the bottom of this article. I recommend reading them

first if you don’t know what Dll Hijacking is. Basically, it works by

creating a custom malicious dll and putting it in the same directory of a

clean file. When this clean file is opened by a vulnerable application,

your custom dll will be loaded and your code executed. This malicious dll

must have specific filenames for each vulnerable application, which can

be discovered using any simple debugging tool.

There are vulnerabilities in many major programs, so it’s possible to

bundle a dll with almost any filetype, like pdf, html, jpg, mp3, avi,

ANYTHING. Even some programs included with Windows are vulnerable. Peter

Eeckhoute from corelan team started an unofficial list that you might

want to check <link at bottom>. You’re almost certainly using many

exploitable applications so it’s a must to check there if you use Windows

regardless of it’s version or edition.

This is a major security issue that affects every Windows version and

cannot be patched universally as it would break many existing

applications. Inside this article I’ll also provide some tips about how

you can try to protect yourself and your network. There’s no

bullet-proof solution at this moment but you can certainly avoid getting

exploited in many cases.

This article is focused on showing how this flaw can be exploited in a

real world scenario from an attacker’s side. This is important because

there are many possible attack vectors that can be used either making use

of another vulnerability or even some simple social engineering. I’ll

explain some of them and how can be possibly avoided by an user or

sysadmin.

* Using a SMB/WebDav shared folder

This is perhaps the most common way dll hijacking is being used, probably

because it can be exploited remotely. There are already a module for

Metasploit which uses this vector. It works by putting together a

malicious dll and a clean file that triggers it inside a share and then

making your target open this clean file. Remember a shared folder link

always starts with double slashes like \\123.45.67.890.

Real world examples:

1. Attacker sends a shared folder link to a victim. Victim opens and

sees some .html files and double-clicks one of them. When a vulnerable

browser or application opens this file it loads a dll directly from

this share, and victim is now infected.

2. Attacker posts a link in a forum that looks like a http link but

redirects victim to a shared folder. Victim opens a simple .pdf file

and gets infected.

3. Attacker gains access to a trusty website and puts iframes or

redirects to his share. Victim trusts this site and opens a mp3 file

inside the shared folder and… gets infected as well.

4. Attacker uses the .lnk bug or any browser vulnerability together

with any of above examples and thus increase his infect rate.

Tip: This kind of attack can be neutralized blocking any outbound

connection to a smb/webdav share. Ports are 445 and 135.

* A compressed package (.zip, .tar.gz, .rar etc)

This vector can be exploited by putting together a bunch of clean files

and a malicious dll inside a compressed folder/package. Target will

extract these files and open one of them, getting attacker’s dll loaded.

Real world example:

1. Attacker compresses 30 jpg pictures and a dll in a zip file. Victim

extracts everything to a folder and double-clicks one of the pictures.

Infected.

I won’t provide any other example of this because it’d look the same.

Tip: Before opening any kind of file, specially downloaded from the

internet, check if there’s any dll file in the same directory. Don’t

forget to enable show hidden files and show all extensions on your Folder

Options. It’s also recommended to move only the files you need to open

to another directory created by you. This should make you safe.

* Torrents

This one is kinda nasty and can be very effective to contaminate large

amounts of people. A torrent can contain large numbers of files and can

be used to get a malicious dll downloaded together with clean files

without being noticed. This is very dangerous, specially if a big torrent

tracker or database can be compromised.

Real world examples:

1. Attacker posts a custom torrent in a public tracker, which contains

a pack of mp3?s and a malicious dll. Victim goes listen it’s new

song album and get infected.

2. Attacker gains admin access to a torrent database (this actually

happened to ThePirateBay not so long ago) and changes a legitimate

high-traffic torrent for a infected one. This could cause a massive

infection in a matter of minutes.

Tip: Same tip as above. Make sure there are no dlls in the current folder

before opening any kind of file. If you own a tracker or database make

sure your webserver and/or database are not vulnerable to any kind of

vulnerability like SQL injections, XSS etc.

* Exploiting multiple application hijacks

We have not seen yet a real world malware that uses dll hijacks to it’s

max but one of the ways attackers can (and will) use to increase their

success rate is putting multiple dlls to exploit the same filetype.

Real world example:

* Attacker shares a folder which contains a bunch of .avi files and

three malicious dlls: one for VLC, other for MediaPlayer Classic and,

finally, the last one for Winamp. Attacker can now exploit three apps

in the same attack, increasing the chance of victim getting infected.

These are just some of the many ways we might seem this breach being

exploited in real world in a very near future. You might wanna check all

vulnerable apps and discover your own way or you can also try to discover

your own vulnerable apps using this kit, provided by HD Moore (creator of

Metasploit) <link at bottom>.

- Bruno Filipe (diwr)

Links:

[MSDN page]

SetDllDirectory Function (Windows)

[hdm’s DLL Hijack Audition kit and instructions]

Metasploit: Better, Faster, Stronger: DLLHijackAuditKit v2

[Rapid7 Blog advisory about DLL Hijacking flaw]

Application DLL Load Hijacking Rapid7 Network Security Blog

[Corelan blog – Unofficial list of vulnerable apps]

http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/

[exploit-db list of vulnerable apps]

DLL Hijacking – Vulnerable Applications

[sample DreamWeaver CS5 exploit]

Adobe Dreamweaver CS5 <= 11.0 build 4909 DLL Hijacking Exploit (mfc90loc.dll)

[swaMp]

MEGAUPLOAD - The leading online storage and file delivery service

sper ca acest eBook sa iti deschida ochii

[Paul4games]

O metoda foarte bune de spreading mai ales cea cu torentele!mersi raman dator:)