Windows DLL Vulnerability Exploit In the Wild

WrongSizeGlass writes "Exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications made its appearance on Monday. HD Moore, the creator of the Metasploit open-source hacking toolkit, released the exploit code along with an auditing tool that records which applications are vulnerable. 'Once it makes it into Metasploit, it doesn't take much more to execute an attack,' said Andrew Storms, director of security operations for nCircle Security. 'The hard part has already been done for [hackers].'"

Application developers fault

[odies]

This is actually faulty programming in applications, not Windows. Kind of like buffer overflows. It's what happens when you don't know what you're doing nor are you following secure coding standards.

Because application developers, not Windows, are to blame, Microsoft can't patch the operating system without crippling an unknown number of programs that run on the platform.

There are no reports of any Microsoft or default Windows applications containing the bug, so unless you have a specific third party app you're not vulnerable. Also, there is already a tool available from Microsoft you can use to block it from all applications, but some of the apps might obviously break.

To protect from stupid developers you would probably need something like selinux for Windows, but considering how much pain in the ass it is on Linux too, it wouldn't really work for all the casual people. However, moving applications from languages like C/C++ to languages like C# can help just like with buffer overflows. At least it provides extra layer of security against clueless programmers.

Re:Application developers fault

[NiteShaed]

There are no reports of any Microsoft or default Windows applications containing the bug, so unless you have a specific third party app you're not vulnerable.

Ummmmmm; "According to Moore, at least one Microsoft executable -- "explorer.exe," the Windows shell -- includes the flaw."
I'm pretty sure your Windows machine has explorer.exe loaded by default.

And Also Four of Microsoft's Applications

[eldavojohn]

There are no reports of any Microsoft or default Windows applications containing the bug

Really? That's odd, from the original blog posting:

At least four of Microsoft’s own applications have been confirmed as exploitable through this vector, two of which were already being addressed by the time I contacted them.

wait, open a remote file through SMB ?

From the Microsoft FAQ:

How could an attacker exploit this vulnerability?

This vulnerability requires that the attacker convince the user to open a file using a vulnerable program, from a remote network location. When the application loads one of its required or optional libraries, the vulnerable application may attempt to load the library from the remote network location. If the attacker provides a specially crafted library at this location, the attacker may succeed at executing arbitrary code on the user's machine.

I don't know about you, but I never open files from an untrusted SMB...

Re:Their security recommendation is hardly a solut

[0ld_d0g]

Well, fully qualified doesn't mean static. You could compute the fully qualified name at runtime to pass to the LoadLibrary call. Or you could just stick a SetDllDirectory call somewhere in your app startup and keep the rest of the code the same.

Re:I'm sorry what's the problem?

[arth1]

If the user's machine is compromised to the point where unauthorized dlls are replacing valid dlls that's not my problem as a software developer. The only validity to this bug is that windows allows dlls to be loaded from remote network locations (isn't this sort of stupid in the first place?).

It's not replacing. It's you, as a developer, saying "try to load foo.dll", without specifying where "foo.dll" is to be found, but relies on the OS to find it for you. It traverses a list of possible locations, and as a last resort tries the current working directory.
The problem is all yours if you don't specify where the OS is to look for the DLL. If you want to load DLLs from %installdir%\dlls, then all you have to do is specify that path. It's not rocket science.

And no, allowing DLLs to be loaded from remote locations isn't stupid, as it allows for shared installations, which both saves boatloads of disk space, and allows for updating a single place instead of on each machine.
Not considering that possibility is what's stupid.
And not understanding how the DLL loading and file systems work on the OS you program for is even worse.

Finally, the exploit doesn't depend on a remote share either -- that's Smallsquishy's damage control PR department working overtime. If you download a zip with hundreds of MP3 or picture files, extract it, and double-click one of them, the DLL that was in the archive will get loaded if your default player/viewer queries for that DLL without specifying a path.

It's not a new exploit either -- it's been around for a long time on Windows. And before that, there were vulnerable Linux systems with "." in LD_LIBRARY_PATH, which basically amounts to the same thing.

How this works

[Elbows]

I took me a while to figure out how this exploit works, but I think it goes like this:

I have an application, foo.exe, that can make use of an optional system component (or 3rd-party DLL), bar.dll. I don't ship that DLL, and I can't guarantee that it will be present on every user's system. So to ensure that my program degrades gracefully, I open it with LoadLibrary("bar.dll"), and if it's not found I disable the features that depend on it. Since it's not my DLL, I can't speculate on where it's installed, so I use an unqualified path and let the loader do the searching (this is, after all, the job of the loader). The ensures that, as long as bar.dll is correctly installed on the system, my application will find and use it.

From an application developer's point of view, this the right way to do things. If I did this on Linux or MacOS, it wouldn't be a problem. Unfortunately, Microsoft decided that the current directory (".") should be in the default search path (see http://msdn.microsoft.com/en-us/library/ms682586(VS.85).aspx ). It's even searched before $PATH!

Now the exploit goes like this:
1. On \\evilserver\evilsmbshare, I place a file foofile.foo, an extension which is associated with foo.exe. Right next to it, I create an evil version of bar.dll.
2. I convince the user to double-click on foofile.foo, causing windows to open foo.exe, with a current directory of \\evilserver\evilsmbshare.
3. If the user's system doesn't have bar.dll installed, Windows will eventually find my evil version of it at .\bar.dll and load it into the unsuspecting foo.exe.
4. My evil code runs and does whatever evil deeds I want it to.

If this is correct, then the decision my Microsoft to put the current directory in the library search path seems pretty braindead, and it's hard to blame application developers for assuming that LoadLibrary() will load a library in a sane and secure way. But I'm having a hard time imagining an application that would break if the current directory were just removed from the search path. Shipping DLLs in the application directory is common practice, but expecting them in the current directory? Why would you do that?

It seems that this exploit requires you to trick the user into opening a file from a filesystem you have access to, at which point you could probably just as easily get them to open a trojan directly. I think local privilege-escalation attacks are more probable (e.g. tricking a system service into opening your evil DLL).

Re:How this works

[Elbows]

I just tried this out. When I launch a test program by double-clicking an associated file, the current directory (as returned by GetCurrentDirectory()) is set to the directory where the file was located. It ignores the location of the .exe, and it also ignores the "Start In" directory from the shortcut file (if the association was to a shortcut and not directly to an exe). This is on Win7 64-bit. So I think my evilsmbshare example from above would work as described. Of course it's possible that other Windows systems exhibit completely different behavior. :)

I agree that it's still hard to exploit, but not quite as hard as requiring access to the user's local filesystem.

Re:How this works

[TheThiefMaster]

So placing a DLL in the same folder as the associated file doesn't do anything. You have to put it in the same folder as the executable, which is (as of Vista and Windows 7) write-protected.

With XP it is a lot easier because the Program Files directory structure is not protected and it was common to have applications writing stuff there, so you couldn't protect it. As of Vista the rules changed and you can't write there anymore.

Actually it's write-protected in XP as well, as long as you don't use the FAT32 filesystem (so per-user file permissions actually exist) and as long as you're not running as admin (which nearly everyone did on their home PCs, but in organisations most people aren't). Vista basically changed the system from "local admin user = root" to "local admin user = sudoer".

Re:CWDIllegalInDllSearch

[colfer]

Or, correction, the good DLL would have to go into a folder that is in the PATH and not in any of the higher priority system folders. And you would have to register a file handler and a new type... since the directory of the EXE has first priority. Oh well.

The priority list goes:

1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable

And the patch + adding the new reg value disables #5.

The whole fix should be rolled up into a little switching program. We should not have to edit the registry to fix this vulnerability. And we should be able to turn the fix off easily if it causes problems.