Full Disclosure mailing list archives
Re: DLL hijacking with Autorun on a USB drive
From: matt <matt () attackvector org>
Date: Fri, 27 Aug 2010 10:27:54 -0500
Dan, While I agree with most of what you're saying, I do find this to be a pretty serious issue, and here's why. 1) The file doesn't have to be fake. It could be a legitimately real ppt, vcf, eml, html, whatever. The program(s) load the rogue DLL file and there doesn't seem to be any major impact on the functionality of the software, meaning that the end user wouldn't know that there was something hostile taking place. The file opens, they can view it, modify it, whatever, and all the features seem to work. Perception is reality. 2) This opens the door for more widespread attacks. In the case of PowerPoint, one could simply find a share on a network that contains a large amount of ppt files and save his/her rogue DLL file in that directory. Then, whenever anyone opens one of the files, the attacker gets immediate access to the victims PC without the victim having any idea. 3) People are getting smarter and do view .exe's as threats. Yes, because of the fact that extensions are usually hidden and that you can modify the icon to be whatever you want it to, it's trivial to trick an end user into clicking on just about anything. However.. if I pass out my Power Point presentation on a USB stick at a business meeting that has legitimate content, no one is going to have any clue that anything else took place. There's also very little risk of detection, because you don't have to worry about that one user who doesn't have extensions hidden, or someone noticing that the icon looks funny, or different. It simply makes for a more stealthy attack. To be honest, the whole DLL hijacking concept reminds me a lot of the old temp race "vulnerabilities" from back in the day. Is it really a "vulnerability" in the true sense of the word? Not really.. it's taking advantage of a series of events and being first to cross the finish line. But, I believe that because we can get the system to execute arbitrary code (OUR arbitrary code), this really does present a serious problem, just like the old temp race conditions did. Anyway, I appreciate the feedback.. and yes, ultimately I agree that invoking this through Autorun is probably, for the most part, useless, but I was asked if it was possible and I honestly wasn't sure that it would be, which is why I wrote the post after I found out that it was. - matt www.attackvector.org
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DLL hijacking with Autorun on a USB drive, (continued)
- Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Larry Seltzer (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Arthur Orr (Aug 28)
- Re: DLL hijacking with Autorun on a USB drive Larry Seltzer (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Florian Weimer (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive coderman (Aug 30)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Sherwyn (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 26)
- Re: DLL hijacking with Autorun on a USB drive Mario Vilas (Aug 27)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Dan Kaminsky (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Charles Morris (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive paul . szabo (Aug 31)
- Re: DLL hijacking with Autorun on a USB drive Christian Sciberras (Aug 31)