Monday, August 30, 2010

A summary of DLL hijacking - what did I do...

Workaround 1
1. Install the patch 2264107 and set CWDIllegalInDllSearch=0xFFFFFFFF
Benefit
Could mitigate the risk to very low level.
Impact
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). May break some applications. Potential affected software list could be found in the attachment: “Potentially vulnerable applications.docx”. you can also find it online: http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
--------------------------------------------------------------
Workaround 2
2 .Install the patch 2264107 and set CWDIllegalInDllSearch=1
Benefit
Prevent an application from loading a library from a WebDAV location.
Impact
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). Still vulnerable for Remote file share.
---------------------------------------------------------------
Workaround 3
3. Install the patch 2264107 and set CWDIllegalInDllSearch=2
Benefit
Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location
Impact
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). Cannot prevent the local dll attack.
---------------------------------------------------------------
Workaround 4
4. Block any outbound connection to a smb/webdav share. Ports are 445 and 135.
Benefit
Prevent the outside attack.
Impact
1). It is not possible to block smb/webdav share in internal network because users need it.
---------------------------------------------------------------

Real world DLL Hijacking samples: (from http://digitalacropolis.us/?p=113)
1. Using a SMB/WebDav shared folder
This is perhaps the most common way dll hijacking is being used, probably because it can be exploited remotely. It works by putting together a malicious dll and a clean file that triggers it inside a share and then making your target open this clean file. Remember a shared folder link always starts with double slashes like \\123.45.67.890. 1.

1). Attacker sends a shared folder link to a victim. Victim opens and sees some .html files and double-clicks one of them. When a vulnerable browser or application opens this file it loads a dll directly from this share, and victim is now infected.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.

2). Attacker posts a link in a forum that looks like an http link but redirects victim to a shared folder. Victim opens a simple .pdf file and gets infected.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.


3). Attacker gains access to a trusty website and puts iframes or redirects to his share. Victim trusts this site and opens an mp3 file inside the shared folder and… gets infected as well.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.


4). Attacker uses the .lnk bug or any browser vulnerability together with any of above examples and thus increase his infect rate.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.
5). Inside attacker put a clean file and a malicious dll to internal file share.

Workaround: 1 or 3.
----------------------------------------------------------
2. A compressed package (.zip, .tar.gz, .rar etc)
This vector can be exploited by putting together a bunch of clean files and a malicious dll inside a compressed folder/package. Target will extract these files and open one of them, getting attacker’s dll loaded.
1). Attacker compresses 30 jpg pictures and a dll in a zip file. Victim extracts everything to a folder and double-clicks one of the pictures. Infected.
Workaround:
1). Workaround 1.
2). Education: Before opening any kind of file, specially downloaded from the internet, check if there’s any dll file in the same directory. Don’t forget to enable show hidden files and show all extensions on your Folder Options. It’s also recommended to move only the files you need to open to another directory created by you. This should make you safe.

--------------------------------------------------------------
3. Torrents
This one is kind of nasty and can be very effective to contaminate large amounts of people. A torrent can contain large numbers of files and can be used to get a malicious dll downloaded together with clean files without being noticed. This is very dangerous, especially if a big torrent tracker or database can be compromised.
1). Attacker posts a custom torrent in a public tracker, which contains a pack of mp3′s and a malicious dll. Victim goes listen it’s new song album and get infected.
2). Attacker gains admin access to a torrent database (this actually happened to ThePirateBay not so long ago) and changes a legitimate high-traffic torrent for an infected one. This could cause a massive infection in a matter of minutes.
Workaround: Do not allow BT and P2P on the perimeter firewall.

----------------------------------------------------------
4. Exploiting multiple application hijacks
Increasing attack success rate for putting multiple dlls to exploit the same file type.
1). Attacker shares a folder which contains a bunch of .avi files and three malicious dlls: one for VLC, other for MediaPlayer Classic and, finally, the last one for Winamp. Attacker can now exploit three apps in the same attack, increasing the chance of victim getting infected.

Workaround: Combine workaround 1 and 4. Or  Combine Workaround 3 and 4.

No comments:

Post a Comment