Dll hijacking Praveen Kumar [D4rk357] Information Security Rookie
Introduction DLL Hijacking is very Topic in exploit research and development these days . On 25th of August this year Exploit-DB was flooded with so many DLL Hijacking exploits that they stopped accepting it in the database and they mentioned these exploits in their blog post. Nearly all window application including this powerpoint (w00t w00t) I am using is vulnerable to it.
Is DLL Hijacking New vector? While Searching for DLL Hijacking on Internet I saw mention of this exploit from as long as back in 2000(maybe you can find its mention much before that). What opened the floodgates of DLL hijacking exploits was a exploitation method by The Leader(maybe he also borrowed it from somewhere else) which could be used as if for nearly all applications to pawn them.
What is DLL Hijacking In simple words, DLL Hijacking is the vulnerability which can be used to make any vulnerable application to load malicious DLL by exploiting its DLL search order mechanism there by taking complete control over the system. Attacker can trick the user to open the documents/video/movies from the remote share where user can place malicious version of legitimate DLL. So when user launches the application to view such remote content, application will load these malicious DLLs instead of original DLL.
Microsoft Windows DLL Search Path Weakness When a program executes under Microsoft Windows, it may require additional code stored in DLL library files. These files are dynamically located at run time, and loaded if necessary. A weakness exists in the algorithm used to locate these files.The search algorithm used to locate DLL files specifies that the current working directory is checked before the System folders. If a trojaned DLL can be inserted into the system in an arbitrary location, and a predictable executable called with the same current working directory, the trojaned DLL may be loaded and executed. This may occur when a data file is accessed through the 'Run' function, or double clicked in Windows Explorer.
Solutions ?? Sorry but there is no fix to this yet . Microsoft has released an Security Advisory citing this problem and mentioning about these mitigations Disable loading of libraries from WebDAV and remote network shares Disable the WebClient service Block TCP ports 139 and 445 at the firewall Microsoft has also introduced new registry key CWDIllegalInDllSearch to safeguard individual or All applications from this vulnerability. Below is the link to KB article.
Questions ?? Maybe I will not be able to answer all but we have a lot of ppl in audience who can . So start shooting
Thanksgiving Thanks to Rockey killer , FB1H2S, b0nd, punter,prashant,vinay,and all h4ck3r.in and garage4hackers.com Speacial Thanks to everyone in the audience for not sleeping :D .