Full Disclosure mailing list archives
Re: Windows Mail Find People DLL side loading vulnerability
From: "Securify B.V." <lists () securify nl>
Date: Wed, 9 Mar 2016 18:29:49 +0100
Hi Stefan, See below. On 09-03-16 12:48, Stefan Kanthak wrote:
"Securify B.V." wrote:------------------------------------------------------------------------ Windows Mail Find People DLL side loading vulnerability ------------------------------------------------------------------------ Yorick Koster, September 2015This vulnerability demonstrates Microsoft's terrible SLOPPY coding horror^Wpractice: it needs two mistakes to create this kind of bug! "%CommonProgramFiles%\System\wab32res.dll" is (as its name implies) a resource DLL, which means that it contains no code, but only (localized) resources, and SHOULD (better: MUST) be loaded via LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE) to avoid the call of its DllMain() startup code! See <https://msdn.microsoft.com/en-us/library/ms684179.aspx> JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium! Either LoadLibrary("%CommonProgramFiles%\System\wab32res.dll") or LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE) were sufficient to avoid this vulnerability.------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Microsoft released MS16-025 that fixes this vulnerability.Have you checked how Microsoft fixed it? Did they exercise all due diligence now, practised defense in depth and replaced the call to LoadLibrary("wab32res.dll") with a call to LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?
They still use LoadLibrary() to load wab32res.dll. Previously, the fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended wab32res.dll to the result, which was fed into LoadLibrary().
With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By default DLLPath is set to %CommonProgramFiles%\System\wab32.dll, PathRemoveFileSpec() removes wab32.dll from the path. They also call ExpandEnvironmentStrings(), but that was also the case previously.
With kind regards, Yorick _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Windows Mail Find People DLL side loading vulnerability Securify B.V. (Mar 08)
- Re: Windows Mail Find People DLL side loading vulnerability Stefan Kanthak (Mar 09)
- Re: Windows Mail Find People DLL side loading vulnerability Securify B.V. (Mar 09)
- Re: Windows Mail Find People DLL side loading vulnerability Stefan Kanthak (Mar 09)