Re: DLL hijacking with Autorun on a USB drive

[Christian Sciberras <uuf6429 () gmail com>]

You've written exactly what I was thinking....except considering the
big brains discussing this, I didn't deem the email worth a nickel.

But now I thought, well, why not express this concern?
Considering the "DOS via popups" (or "DOS in IE6") which we've been
having increasingly as of late, I really don't want myriad "me too"
dll injection "exploits".


Cheers.




On Tue, Aug 31, 2010 at 5:12 PM, Charles Morris <cmorris () cs odu edu> wrote:
> On Fri, Aug 27, 2010 at 11:27 AM, matt <matt () attackvector org> wrote:
> > Dan,
> > While I agree with most of what you're saying, I do find this to be a pretty
> > serious issue, and here's why.
> > 1) The file doesn't have to be fake.  It could be a legitimately real ppt,
> > vcf, eml, html, whatever.  The program(s) load the rogue DLL file and there
> > doesn't seem to be any major impact on the functionality of the software,
> > meaning that the end user wouldn't know that there was something hostile
> > taking place.  The file opens, they can view it, modify it, whatever, and
> > all the features seem to work.  Perception is reality.
> > 2) This opens the door for more widespread attacks.  In the case of
> > PowerPoint, one could simply find a share on a network that contains a large
> > amount of ppt files and save his/her rogue DLL file in that directory.
> >  Then, whenever anyone opens one of the files, the attacker gets immediate
> > access to the victims PC without the victim having any idea.
> > 3) People are getting smarter and do view .exe's as threats.  Yes, because
> > of the fact that extensions are usually hidden and that you can modify the
> > icon to be whatever you want it to, it's trivial to trick an end user into
> > clicking on just about anything.  However.. if I pass out my Power Point
> > presentation on a USB stick at a business meeting that has legitimate
> > content, no one is going to have any clue that anything else took place.
> >  There's also very little risk of detection, because you don't have to worry
> > about that one user who doesn't have extensions hidden, or someone noticing
> > that the icon looks funny, or different.  It simply makes for a more
> > stealthy attack.
> > To be honest, the whole DLL hijacking concept reminds me a lot of the old
> > temp race "vulnerabilities" from back in the day.  Is it really a
> > "vulnerability" in the true sense of the word?  Not really.. it's taking
> > advantage of a series of events and being first to cross the finish line.
> >  But, I believe that because we can get the system to execute arbitrary code
> > (OUR arbitrary code), this really does present a serious problem, just like
> > the old temp race conditions did.
> > Anyway, I appreciate the feedback.. and yes, ultimately I agree that
> > invoking this through Autorun is probably, for the most part, useless, but I
> > was asked if it was possible and I honestly wasn't sure that it would be,
> > which is why I wrote the post after I found out that it was.
> > - matt
> > www.attackvector.org
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> I'm going to be honest here, I see this whole "DLL Hijacking" thing as
> a non-issue. It's a known behavior. Don't run applications from
> untrusted locations- because then you can't trust the application- not
> just the DLLs it loads.
>
> We aren't in the UNIX world here, yes windows may have fine-grained
> permissions but with the bubbly/stupid GUI from Vista onward.. I'm not
> even sure how to use them off-hand- so I know for a fact
> random-user-sixpack can't do it. You can't just casually glance at a
> file on a random network share and know that nobody has been
> manipulating it; and it's stupid to think otherwise.
>
> Do you run random executables from flashdrives you find on the floor?
> Even if it has a solitaire icon? No.
>
> If there was a setuid root executable that gave you a nice game of
> solitaire over X, while running any script at /tmp/runme.dll^H^H^Hsh -
> would you call this a vulnerability or a horrible design choice?
> Especially so when it's -clearly- documented that it runs said script?
>
> And yes, the first thing to do on a windows desktop is to disable
> crappy menu fades, UAC, and "hide extensions";
> along with a slew of other garbage. I normally spend two hours in MMC
> as soon as it's up. It's time for others to do the same.
>
> If you want to "fix" this, you may of course implement signed DLLs,
> but then you get the issue of signed DLLs. It would just turn out to
> be another UAC or MS-Maintained "SSL Authority List".
>
> I suppose it would be nice if an application would compare a checksum
> of a DLL to a hardcoded value before it loaded it, but then you get
> the issue of newer (but fully compatible) DLL versions having
> different checksums, etc, etc. It's just a mess caused by stupid
> design by Microsoft.
>
> Now, if there was a way to move a CWD of a more-privileged-user
> process to a less-privileged-adversary defined directory before
> loading a given DLL, that would be a real vulnerability.
>
> > the old
> > temp race "vulnerabilities" from back in the day.  Is it really a
> > "vulnerability" in the true sense of the word?  Not really..
>
> Oh, and, race conditions are real vulnerabilities. There is no
> question/argument on this.
>
> Cheers,
> Charles
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/