RSS

Tools

The Windows DLL Loading Security Hole

By Larry Seltzer, September 09, 2010

Many Windows apps -- even Microsoft's and maybe your own -- are vulnerable to "remote binary planting" attacks.

Larry Seltzer is an independent analyst focusing on security issues and a founder of OpenGov Solutions.

In August, 2010, the Slovenian security research firm ACROS Security issued an advisory for a vulnerability in Apple's iTunes. The details in the advisory accidentally exposed a much larger story that ACROS was working on quietly: Many Windows applications -- including many famous ones and possibly your own -- are vulnerable to the same attack. Luckily you can fix the problems and I'll show you how.

"Remote Binary Planting" is a new variation on an old attack, first identified 10 years ago by Georgi Guninski. He showed how an attacker could load a malicious DLL by including it in the same directory as a data file opened by the user through the Windows shell. At the time, the problem was that when Windows searched for a DLL to load, the current directory was high in the search order. When you load a data file in the shell, Windows sets the file's directory as the current directory when loading the file, so all you had to do was to name your DLL and the calls exported from it the same as the one expected by the application.

Here's how it works: The attacker places an enticing data file in a folder on a network share or web folder. Probably through a social networking attack ("Open mlb.xls to see pennant race analysis") he induces a user to open the file. In the same directory as the file is a DLL with the same name as one needed by the application to open the file, and exporting a function expected by the application. With a vulnerable application, Windows will look for the DLL in the current directory -- the one containing the data file -- before finding the real one, and therefore will load it and run the malicious code.

In response to this issue, Microsoft changed the DLL search order, created the SetDllDirectory function and issued guidance about proper loading of DLLs. It turns out that this advice is widely ignored, even within Microsoft.

ACROS's innovation in this attack was to show how to exploit it on a network share or remotely over the Internet on a WebDAV share. This raises the credibility of the attack scenario a great deal. Indeed, if an attacker gains access to a network, getting users to load data files from a network share within it should be relatively easy. This would be a great tool for an attacker perpetrating a targeted attack against your organization, where they have some knowledge of you already. All they need is the credentials of a relatively unprivileged user.



1 2 Next

Related Reading

News

Commentary

Most Popular

On the Web

Slideshow

Video

More Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>
INFO-LINK




Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Best of the Web

First C Compiler Now on Github

The earliest known C compiler by the legendary Dennis Ritchie has been published on the repository.

Quick Read

HTML5 Mobile Development: Seven Good Ideas (and Three Bad Ones)

HTML5 Mobile Development: Seven Good Ideas (and Three Bad Ones)

Quick Read

Building Bare Metal ARM Systems with GNU

All you need to know to get up and running... and programming on ARM

Quick Read

Amazon's Vogels Challenges IT: Rethink App Dev

Amazon Web Services CTO says promised land of cloud computing requires a new generation of applications that follow different principles.

Quick Read

How to Select a PaaS Partner

Eventually, the vast majority of Web applications will run on a platform-as-a-service, or PaaS, vendor's infrastructure. To help sort out the options, we sent out a matrix with more than 70 decision points to a variety of PaaS providers.

Quick Read


More "Best of the Web" >>

Tools Recent Articles

Most Popular

Stories Blogs

Video

View All Videos

Upcoming Events



Most Recent Premium Content

Digital Issues