Full Disclosure mailing list archives
Re: DLL hijacking with Autorun on a USB drive
From: Christian Sciberras <uuf6429 () gmail com>
Date: Tue, 31 Aug 2010 17:18:39 +0200
You've written exactly what I was thinking....except considering the big brains discussing this, I didn't deem the email worth a nickel. But now I thought, well, why not express this concern? Considering the "DOS via popups" (or "DOS in IE6") which we've been having increasingly as of late, I really don't want myriad "me too" dll injection "exploits". Cheers. On Tue, Aug 31, 2010 at 5:12 PM, Charles Morris <cmorris () cs odu edu> wrote:
On Fri, Aug 27, 2010 at 11:27 AM, matt <matt () attackvector org> wrote:Dan, While I agree with most of what you're saying, I do find this to be a pretty serious issue, and here's why. 1) The file doesn't have to be fake. It could be a legitimately real ppt, vcf, eml, html, whatever. The program(s) load the rogue DLL file and there doesn't seem to be any major impact on the functionality of the software, meaning that the end user wouldn't know that there was something hostile taking place. The file opens, they can view it, modify it, whatever, and all the features seem to work. Perception is reality. 2) This opens the door for more widespread attacks. In the case of PowerPoint, one could simply find a share on a network that contains a large amount of ppt files and save his/her rogue DLL file in that directory. Then, whenever anyone opens one of the files, the attacker gets immediate access to the victims PC without the victim having any idea. 3) People are getting smarter and do view .exe's as threats. Yes, because of the fact that extensions are usually hidden and that you can modify the icon to be whatever you want it to, it's trivial to trick an end user into clicking on just about anything. However.. if I pass out my Power Point presentation on a USB stick at a business meeting that has legitimate content, no one is going to have any clue that anything else took place. There's also very little risk of detection, because you don't have to worry about that one user who doesn't have extensions hidden, or someone noticing that the icon looks funny, or different. It simply makes for a more stealthy attack. To be honest, the whole DLL hijacking concept reminds me a lot of the old temp race "vulnerabilities" from back in the day. Is it really a "vulnerability" in the true sense of the word? Not really.. it's taking advantage of a series of events and being first to cross the finish line. But, I believe that because we can get the system to execute arbitrary code (OUR arbitrary code), this really does present a serious problem, just like the old temp race conditions did. Anyway, I appreciate the feedback.. and yes, ultimately I agree that invoking this through Autorun is probably, for the most part, useless, but I was asked if it was possible and I honestly wasn't sure that it would be, which is why I wrote the post after I found out that it was. - matt www.attackvector.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/I'm going to be honest here, I see this whole "DLL Hijacking" thing as a non-issue. It's a known behavior. Don't run applications from untrusted locations- because then you can't trust the application- not just the DLLs it loads. We aren't in the UNIX world here, yes windows may have fine-grained permissions but with the bubbly/stupid GUI from Vista onward.. I'm not even sure how to use them off-hand- so I know for a fact random-user-sixpack can't do it. You can't just casually glance at a file on a random network share and know that nobody has been manipulating it; and it's stupid to think otherwise. Do you run random executables from flashdrives you find on the floor? Even if it has a solitaire icon? No. If there was a setuid root executable that gave you a nice game of solitaire over X, while running any script at /tmp/runme.dll^H^H^Hsh - would you call this a vulnerability or a horrible design choice? Especially so when it's -clearly- documented that it runs said script? And yes, the first thing to do on a windows desktop is to disable crappy menu fades, UAC, and "hide extensions"; along with a slew of other garbage. I normally spend two hours in MMC as soon as it's up. It's time for others to do the same. If you want to "fix" this, you may of course implement signed DLLs, but then you get the issue of signed DLLs. It would just turn out to be another UAC or MS-Maintained "SSL Authority List". I suppose it would be nice if an application would compare a checksum of a DLL to a hardcoded value before it loaded it, but then you get the issue of newer (but fully compatible) DLL versions having different checksums, etc, etc. It's just a mess caused by stupid design by Microsoft. Now, if there was a way to move a CWD of a more-privileged-user process to a less-privileged-adversary defined directory before loading a given DLL, that would be a real vulnerability.the old temp race "vulnerabilities" from back in the day. Is it really a "vulnerability" in the true sense of the word? Not really..Oh, and, race conditions are real vulnerabilities. There is no question/argument on this. Cheers, Charles _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DLL hijacking with Autorun on a USB drive, (continued)
- Re: DLL hijacking with Autorun on a USB drive Larry Seltzer (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Florian Weimer (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive coderman (Aug 30)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Sherwyn (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Sherwyn (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive matt (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Mario Vilas (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)