Channels ▼
RSS

Tools

The Windows DLL Loading Security Hole


Larry Seltzer is an independent analyst focusing on security issues and a founder of OpenGov Solutions.


In August, 2010, the Slovenian security research firm ACROS Security issued an advisory for a vulnerability in Apple's iTunes. The details in the advisory accidentally exposed a much larger story that ACROS was working on quietly: Many Windows applications -- including many famous ones and possibly your own -- are vulnerable to the same attack. Luckily you can fix the problems and I'll show you how.

"Remote Binary Planting" is a new variation on an old attack, first identified 10 years ago by Georgi Guninski. He showed how an attacker could load a malicious DLL by including it in the same directory as a data file opened by the user through the Windows shell. At the time, the problem was that when Windows searched for a DLL to load, the current directory was high in the search order. When you load a data file in the shell, Windows sets the file's directory as the current directory when loading the file, so all you had to do was to name your DLL and the calls exported from it the same as the one expected by the application.

Here's how it works: The attacker places an enticing data file in a folder on a network share or web folder. Probably through a social networking attack ("Open mlb.xls to see pennant race analysis") he induces a user to open the file. In the same directory as the file is a DLL with the same name as one needed by the application to open the file, and exporting a function expected by the application. With a vulnerable application, Windows will look for the DLL in the current directory -- the one containing the data file -- before finding the real one, and therefore will load it and run the malicious code.

In response to this issue, Microsoft changed the DLL search order, created the SetDllDirectory function and issued guidance about proper loading of DLLs. It turns out that this advice is widely ignored, even within Microsoft.

ACROS's innovation in this attack was to show how to exploit it on a network share or remotely over the Internet on a WebDAV share. This raises the credibility of the attack scenario a great deal. Indeed, if an attacker gains access to a network, getting users to load data files from a network share within it should be relatively easy. This would be a great tool for an attacker perpetrating a targeted attack against your organization, where they have some knowledge of you already. All they need is the credentials of a relatively unprivileged user.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video