Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DLL hijacking with Autorun on a USB drive

From: matt <matt () attackvector org>
Date: Fri, 27 Aug 2010 10:27:54 -0500
Dan,

While I agree with most of what you're saying, I do find this to be a pretty
serious issue, and here's why.

1) The file doesn't have to be fake.  It could be a legitimately real ppt,
vcf, eml, html, whatever.  The program(s) load the rogue DLL file and there
doesn't seem to be any major impact on the functionality of the software,
meaning that the end user wouldn't know that there was something hostile
taking place.  The file opens, they can view it, modify it, whatever, and
all the features seem to work.  Perception is reality.

2) This opens the door for more widespread attacks.  In the case of
PowerPoint, one could simply find a share on a network that contains a large
amount of ppt files and save his/her rogue DLL file in that directory.
 Then, whenever anyone opens one of the files, the attacker gets immediate
access to the victims PC without the victim having any idea.

3) People are getting smarter and do view .exe's as threats.  Yes, because
of the fact that extensions are usually hidden and that you can modify the
icon to be whatever you want it to, it's trivial to trick an end user into
clicking on just about anything.  However.. if I pass out my Power Point
presentation on a USB stick at a business meeting that has legitimate
content, no one is going to have any clue that anything else took place.
 There's also very little risk of detection, because you don't have to worry
about that one user who doesn't have extensions hidden, or someone noticing
that the icon looks funny, or different.  It simply makes for a more
stealthy attack.

To be honest, the whole DLL hijacking concept reminds me a lot of the old
temp race "vulnerabilities" from back in the day.  Is it really a
"vulnerability" in the true sense of the word?  Not really.. it's taking
advantage of a series of events and being first to cross the finish line.
 But, I believe that because we can get the system to execute arbitrary code
(OUR arbitrary code), this really does present a serious problem, just like
the old temp race conditions did.

Anyway, I appreciate the feedback.. and yes, ultimately I agree that
invoking this through Autorun is probably, for the most part, useless, but I
was asked if it was possible and I honestly wasn't sure that it would be,
which is why I wrote the post after I found out that it was.

- matt
www.attackvector.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: