Exploiting dll hijack in real world

# Visit to see a html version of this paper
# ----------------------------------------------------------------------------
# Title: Exploiting DLL Hijack in the real world
# Date: 27/08/2010
# Author: Bruno Filipe (diwr) - bmilreu[]at[]
# ----------------------------------------------------------------------------

Dll hijacking is the new hype on Windows exploiting. This vulnerability
is caused by a misbehavior practiced by all versions of Windows, as far
as I’m concerned. This misbehavior can be found explained in this MSDN
page [link at bottom] (see Remarks). Note that many people consider this
flaw a feature and not a real bug because it was intended to be made this way
by Microsoft. I strongly disagree as I can’t think of a single legitimate
usage of a dll being loaded from the same directory of a opened file.

I won’t go into minor details about this issue, as they can be found in
reference links at the bottom of this article. I recommend reading them
first if you don’t know what Dll Hijacking is. Basically, it works by
creating a custom malicious dll and putting it in the same directory of a
clean file. When this clean file is opened by a vulnerable application,
your custom dll will be loaded and your code executed. This malicious dll
must have specific filenames for each vulnerable application, which can
be discovered using any simple debugging tool.

There are vulnerabilities in many major programs, so it’s possible to
bundle a dll with almost any filetype, like pdf, html, jpg, mp3, avi,
ANYTHING. Even some programs included with Windows are vulnerable. Peter
Eeckhoute from corelan team started an unofficial list that you might
want to check [link at bottom]. You’re almost certainly using many
exploitable applications so it’s a must to check there if you use Windows
regardless of it’s version or edition.

This is a major security issue that affects every Windows version and
cannot be patched universally as it would break many existing
applications. Inside this article I’ll also provide some tips about how
you can try to protect yourself and your network. There’s no
bullet-proof solution at this moment but you can certainly avoid getting
exploited in many cases.

This article is focused on showing how this flaw can be exploited in a
real world scenario from an attacker’s side. This is important because
there are many possible attack vectors that can be used either making use
of another vulnerability or even some simple social engineering. I’ll
explain some of them and how can be possibly avoided by an user or

* Using a SMB/WebDav shared folder

This is perhaps the most common way dll hijacking is being used, probably
because it can be exploited remotely. There are already a module for
Metasploit which uses this vector. It works by putting together a
malicious dll and a clean file that triggers it inside a share and then
making your target open this clean file. Remember a shared folder link
always starts with double slashes like \\

Real world examples:

1. Attacker sends a shared folder link to a victim. Victim opens and
   sees some .html files and double-clicks one of them. When a vulnerable
   browser or application opens this file it loads a dll directly from
   this share, and victim is now infected.
2. Attacker posts a link in a forum that looks like a http link but
   redirects victim to a shared folder. Victim opens a simple .pdf file
   and gets infected.
3. Attacker gains access to a trusty website and puts iframes or
   redirects to his share. Victim trusts this site and opens a mp3 file
   inside the shared folder and… gets infected as well.
4. Attacker uses the .lnk bug or any browser vulnerability together
   with any of above examples and thus increase his infect rate.

Tip: This kind of attack can be neutralized blocking any outbound
connection to a smb/webdav share. Ports are 445 and 135.

* A compressed package (.zip, .tar.gz, .rar etc)

This vector can be exploited by putting together a bunch of clean files
and a malicious dll inside a compressed folder/package. Target will
extract these files and open one of them, getting attacker’s dll loaded.

Real world example:

1. Attacker compresses 30 jpg pictures and a dll in a zip file. Victim
   extracts everything to a folder and double-clicks one of the pictures.

I won’t provide any other example of this because it’d look the same.

Tip: Before opening any kind of file, specially downloaded from the
internet, check if there’s any dll file in the same directory. Don’t
forget to enable show hidden files and show all extensions on your Folder
Options. It’s also recommended to move only the files you need to open
to another directory created by you. This should make you safe.

* Torrents

This one is kinda nasty and can be very effective to contaminate large
amounts of people. A torrent can contain large numbers of files and can
be used to get a malicious dll downloaded together with clean files
without being noticed. This is very dangerous, specially if a big torrent
tracker or database can be compromised.

Real world examples:

1. Attacker posts a custom torrent in a public tracker, which contains
   a pack of mp3′s and a malicious dll. Victim goes listen it’s new
   song album and get infected.
2. Attacker gains admin access to a torrent database (this actually
   happened to ThePirateBay not so long ago) and changes a legitimate
   high-traffic torrent for a infected one. This could cause a massive
   infection in a matter of minutes.

Tip: Same tip as above. Make sure there are no dlls in the current folder
before opening any kind of file. If you own a tracker or database make
sure your webserver and/or database are not vulnerable to any kind of
vulnerability like SQL injections, XSS etc.

* Exploiting multiple application hijacks

We have not seen yet a real world malware that uses dll hijacks to it’s
max but one of the ways attackers can (and will) use to increase their
success rate is putting multiple dlls to exploit the same filetype.

Real world example:

* Attacker shares a folder which contains a bunch of .avi files and
  three malicious dlls: one for VLC, other for MediaPlayer Classic and,
  finally, the last one for Winamp. Attacker can now exploit three apps
  in the same attack, increasing the chance of victim getting infected.

These are just some of the many ways we might seem this breach being
exploited in real world in a very near future. You might wanna check all
vulnerable apps and discover your own way or you can also try to discover
your own vulnerable apps using this kit, provided by HD Moore (creator of
Metasploit) [link at bottom].

- Bruno Filipe (diwr)


[MSDN page]

[hdm’s DLL Hijack Audition kit and instructions]

[Rapid7 Blog advisory about DLL Hijacking flaw]

[Corelan blog – Unofficial list of vulnerable apps]

[exploit-db list of vulnerable apps]

[Sample DreamWeaver CS5 exploit]

No comments:

Post a Comment