Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com)

Posted by timothy on from the everything's-simple-to-somebody dept.

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.

32 of 162 comments (clear)

  1. What's a DLL? by Teun · · Score: 2, Funny

    The obvious question is; what's a DLL?

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    1. Re:What's a DLL? by Anonymous Coward · · Score: 4, Informative

      Dynamic linked library

    2. Re:What's a DLL? by Archangel+Michael · · Score: 5, Informative

      Dynamic Link Library. Typically a shared resource that can be dynamically loaded and unloaded when needed, and often shared among programs.

      The problem with DLLs are that there are many versions of the same DLL that often need to run at the same time. Which means that you can substitute one version for another, and hijack a program. Nothing new here.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    3. Re:What's a DLL? by Anonymous Coward · · Score: 4, Informative

      Dynamic-link library (also written unhyphenated), or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL, OCX (for libraries containing ActiveX controls), or DRV (for legacy system drivers). The file formats for DLLs are the same as for Windows EXE files – that is, Portable Executable (PE) for 32-bit and 64-bit Windows, and New Executable (NE) for 16-bit Windows. As with EXEs, DLLs can contain code, data, and resources, in any combination.

      https://en.wikipedia.org/wiki/Dynamic-link_library

    4. Re:What's a DLL? by lesincompetent · · Score: 5, Insightful

      The obvious questions are:
      - Why are you here?
      - Why the semicolon?

    5. Re:What's a DLL? by Archangel+Michael · · Score: 3, Informative

      Nothing new, because it is how Windows was designed from the early days.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    6. Re:What's a DLL? by jones_supa · · Score: 3, Funny

      It's a shared object for a toy computer.

      Are you suggesting that Windows makes a toy computer? Wouldn't a toy GUI consist mostly of big colored squares, dumbed down applications, and a supervisor monitoring your usage patterns?

    7. Re:What's a DLL? by GIL_Dude · · Score: 4, Informative

      Although it is very true that it is how windows was designed from the early days, modern versions of windows do have protections against loading DLLs from network locations that applications simply have to opt in to. For those that are designed to be locally installed to have NOT adopted those defenses is just like not bothering to enable ASLR (Address Space Layout Randomization), or other security measures. These applications should be updated to use the protections. Here's info on how to make the updates to applications: https://msdn.microsoft.com/lib...

    8. Re:What's a DLL? by ArmoredDragon · · Score: 2

      I would say that Microsoft could improve on desktop applications by giving them their own namespace or user space (a la Android) but instead they now call these "legacy apps" and have the unrealistic expectation that you use universal apps which do have these protections.

      I say unrealistic because universal apps don't have anywhere near the capability set that you can get with "legacy apps", and there's no reason to write new desktop applications anymore because typically the best way to deliver your application to desktop users is through web apps. If a web app can't do what you need to do, then a universal app probably can't either, and indeed can probably only do less things since it has to operate very strictly within Microsoft's walled garden.

    9. Re:What's a DLL? by mikael · · Score: 3, Informative

      Dynamic Link Library or Shared Object. In the early days of UNIX, it was found that the huge amount of space was being used by GUI applications and command line programs statically linked to common libraries like standard IO, sockets, X-windows, GUI's, maths and crypto libraries. Huge amounts of disk space were being used to stored duplicate copies of compiled code. So they figured that it would be more cost effective to dynamically link at run-time instead of a compile-time with the bonus that they could be compiled into relocatable code only loaded into system when needed.

      If you run "ldd" on a program, you will see all the libraries needed for that program.

      By separating the library files from the applications, any bugs or problems could be fixed through a simple upgrade. The downside is that someone can rootkit a system by replacing a DLL used by applications that need system access.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    10. Re:What's a DLL? by Penguinisto · · Score: 2

      "Windows Dynamic Linked Library" in this case... not seeing a single mention of Linux or OSX in there.

      (Yes, there are equivalents in Linux and OSX, but no indication of the vuln in shared libs, dylibs, or dynamic shared libs, so...)

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    11. Re:What's a DLL? by TapeCutter · · Score: 3, Informative

      There is no "bug" with the installers or windows, the machine has been compromised prior to running the software.

      TFA is a "beat up" (likely paid for by Oracle), it does not explain how the attacker is able to put the compromised dll on the machine in the first place. If an attacker can put a random binary on your local drive then they already own your machine. What a random installer subsequently does on a compromised machine is irrelevant to how the machine was hacked.

      Car analogy: If a miscreant cuts your brake line without your knowledge, it is not the manufacturer's fault that the brakes no longer work as advertised. If the manufacturer's can make it more difficult to cut the brake line that's great, but they cannot, and should not, be held accountable for malicious damage caused by someone who had unrestricted access to your brake line.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    12. Re:What's a DLL? by mhotchin · · Score: 4, Informative

      Literally the FIRST hit on Google leads to this:
      https://en.wikipedia.org/wiki/...

      tl;dr - it's not really a problem to force an arbitrary process to load a DLL, *if you are an administrator*. As noted elsewhere though, if you have the power to inject, you already owned the machine, so why bother?

    13. Re:What's a DLL? by TapeCutter · · Score: 3, Interesting

      It's no longer a problem with MS libraries but it can still be a problem with third party dll's, the problem is not that different to having symlinks point to multiple versions of an .so file in unix. In both cases it works when done correctly, but it's easy to get the wires crossed if you're not careful.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    14. Re:What's a DLL? by KGIII · · Score: 2

      Just earlier today, I ran this very command:

      sudo ln -sf /lib/$(arch)-linux-gnu/libudev.so.1 /lib/$(arch)-linux-gnu/libudev.so.0

      I did not read the article but the above command not only was acted on - it had the effect I wanted. I better go file a bug report!

      --
      "So long and thanks for all the fish."
  2. DLL Hijacking by Anonymous Coward · · Score: 5, Informative

    There's an informative (and non-PDF) post on Fortinet's blog discussing DLL hijacking. You can use a registry tweak to harden a system against this technique.

  3. Why is this a flaw in the app, and not the OS? by MSG · · Score: 3, Interesting

    I'm aware of the Windows DLL load behavior, and how it creates "DLL Hell." I never thought of the security implications, because I assumed that Windows behaved more ... sanely.

    The root of the problem is that the affected applications are installers, which need to be run with elevated rights. On Linux systems, for example, when an application is run with escalated rights (through SUID or sudo), the dynamic library loader uses only the system library paths and ignores user specified paths (such as the LD_LIBRARY_PATH environment variable).

    Why the HELL doesn't Windows do the same for apps run as administrator?

    1. Re:Why is this a flaw in the app, and not the OS? by The+MAZZTer · · Score: 5, Informative

      MSDN documents guidelines for preventing malicious DLL loading. Windows has already cut off "current directory" forms of attacks by changing the DLL load order (called "Safe DLL Search Mode" in that document), and with Vista locking down Program Files for admin-only access, "application directory" attacks are also out unless apps intentionally install themselves elsewhere (then they're on their own). As for installers, users have to get tricked into downloading the DLL first, and at least Chrome gives you a big warning that the file is suspicious due to its extension. And if you can get the user to do that, you might as well just give them an EXE and skip the warning. It's easier to put together a malicious EXE too.

    2. Re:Why is this a flaw in the app, and not the OS? by StormReaver · · Score: 4, Funny

      ...because I assumed that Windows behaved more ... sanely.

      After all these years, why the hell would you think that?

    3. Re:Why is this a flaw in the app, and not the OS? by scdeimos · · Score: 3, Interesting

      Any directory in the DLL search path for a normal application installed in a normal location is only writable by an (elevated) administrator user. If you can drop a random DLL file into such a folder you've already got administrator rights on the machine, so why make things any more complicated?

      You've obviously never heard of ClickOnce then. ClickOnce deployment technology, available since .NET Framework 2.0, allows a signed application and its related DLLs to be downloaded into a folder within the user's own AppData folder structure and executed from there. It doesn't require Administrator rights to do this because it's within the user's own AppData folder structure. Just because an application is signed doesn't make it trustworthy.

  4. There are literally dozens of them... by Anonymous Coward · · Score: 3, Funny

    DOZENS!

  5. Re:Other side of the airtight hatchway by tepples · · Score: 2

    I don't know how code signing verification policy works on Windows, but on OS X, Gatekeeper checks only an app's main executable for a signature against an Apple-issued code signing certificate, not other executables in the same folder that it loads.

  6. Re:Other side of the airtight hatchway by bluefoxlucid · · Score: 4, Informative

    Actually, you only have to insert it into the current working directory. For example: Get a dll file downloaded into Downloads, then wait for the user to run Setup.exe and have UAC hand it admin privileges. Now your non-privileged process has put a DLL file in the Downloads directory *with* Setup.exe, which loaded Downloads\CommDlg32.dll and was granted Administrator access. Now you have admin access.

    Microsoft Word used to do this if you had a DLL file with the same name as a System32 DLL in the same path as a Word document.

    --
    Support my political activism on Patreon.
  7. Re:Other side of the airtight hatchway by pr0fessor · · Score: 3, Insightful

    In this case it would be up to the installer to verify that it is loading a valid library. The problem is if somehow a certain named and versioned dll can be downloaded to the same folder you execute the installer from it can execute arbitrary code when the installer initializes it using the elevated privileges you granted the installer.

    So in order to implement this side-loading you would to first need take advantage of another vulnerability to get that library in the right place.

    In order to protect against this they could simply not include the execution folder in the search path and validate the library in a manner other than just the name and version which can be faked.

    If someone where to try and exploit this chances are they would attempt to run their code in the background while leaving the rest of the library untouched so the installer would complete without tipping off the user. This means something as simple as a file size could validate there wasn't a bunch of extra code present, although there are better methods for validating a library.

     

  8. Re:static linking on windows by grilled-cheese · · Score: 2

    That would make sense but there are two things to consider. First, you may be using a different compiler or even language all together for a dll versus your main application. Second, there are legal implications with OSS licenses when it comes to dynamic versus static linking.

  9. Re:static linking on windows by wonkey_monkey · · Score: 2

    It does leave you permanently vulnerable to any flaws in the particular version of the library you linked against, or such is my understanding. At least with dynamic linking you can blame the user for not keeping up to date!

    I still static link though because whenever I upload something (using a video filtering plugin) at least one person won't have the right runtime installed at all.

    --
    systemd is Roko's Basilisk.
  10. Re:Other side of the airtight hatchway by The+MAZZTer · · Score: 2

    MSDN is saying, by default, "Safe DLL" loading is used, in which the current directory is only used if loading the DLL from most other locations failed. So this would not be viable any more. It sounds like this problem was identified and fixed long ago. Any attempt to exploit this now would require gaining greater access first, and once you're there there's no point to using DLL hijacking any more.

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

  11. Re:What about LGPL dynamic linking compliance?! by sjames · · Score: 2

    It isn't a problem, and the installer need take no special measures. The system's loader restricts the search path for dynamic libraries when it's running with elevated privileges so you don't accidentally run an infected library in some random location (for example, the download directory).

    There are also techniques available to load libraries from a specific path after the program starts rather than at load time. You can use that to choose a specific full path to the exact library you want to load and it still counts as dynamic linking.

  12. Re:static linking on windows by swb · · Score: 2

    It does leave you permanently vulnerable to any flaws in the particular version of the library you linked against, or such is my understanding.

    The assumption being that anyone (for most definitions of anyone) knows what DLLs their application loads and what the status of their patch levels are.

    I still static link though because whenever I upload something (using a video filtering plugin) at least one person won't have the right runtime installed at all.

    Which IMHO is the main mitigating factor -- what's the actual security risk versus the functional risk of the wrong library breaking the program?

    I don't know if its technically possible, but it would be interesting to use a computer where everything was statically linked to see how much worse resource usage really was.

  13. Re:Other side of the airtight hatchway by nmb3000 · · Score: 5, Informative

    If you have the ability to write a malicious DLL into a folder for the executable, you already have the ability to run administrator level code. Why bother with the DLL?

    cf: Raymond Chen

    Exactly. Raymond covered this a few times in the past.

    Using delayload to detect functionality is a security vulnerability
    It rather involved being on the other side of this airtight hatchway: Disabling Safe DLL searching

    If Safe DLL Search Mode is enabled, then the Current Directory isn't searched until after all the system directories are searched. Safe DLL search mode is enabled by default starting with Windows XP with Service Pack 2 (SP2).

    This sounds like a complete non-story.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  14. Whatever is downloaded ends up being run as admin by raymorris · · Score: 2

    I'm going to simplify this a bit, but consider you download two things songlist.zip. You extract songlist.zip, which is a data. You don't execute anything in that download. You just extract it to your downloads folder and use notepad to open the resulting songlist.txt. You don't notice that it also included a file called netssl.ddl, which sits in your downloads folder.

    Later, you download mcafee_setup.exe. You run macafee_setup.exe, which needs to run as admin. mcafee_setup.exe makes use of netssl.dll. It could use the hacked version which was part of songlist,zip, running code with full admin privileges that you never intended to run at all.

  15. Still depends on user trusting installer by BlueMonk · · Score: 2

    This doesn't seem like a very big vulnerability because it still requires the user to explicitly trust an installer to install executable code. Whether that code is an executable or a DLL that gets loaded into another application, once you've installed malicious software, you're screwed.