Thursday, August 26, 2010

New DLL injection attack in Windows

Microsoft had release an advisory on the vulnerability in Windows applications that allows attacker to execute malicious code remotely on victim's system.

Some exploits were found attacking third party applications. Microsoft is currently investigating whether any of their applications are susceptible to this DLL injection attack.

Many friends are asking me about this vulnerability. I think it will be good to explain in more details and share with everyone here.

The root cause of this vulnerability is the loading of dynamic libraries (DLL), which is the behavior and design of Windows. To better understand, you will need to know how DLL is used in Windows.

Windows provides a lot of DLL, which allow programmers to use functions from those DLL in their applications. Normally application load their libraries from the current working directory. But if the DLL is not found, there will be a search order that windows will perform.

Search order:
1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable.

If multiple directories hold a DLL with the same name, the first match be used.

So attacks exploit the weakness in the way windows search and load associated DLL. This DLL can be located in various directories, which include network paths that is controlled by the attacker. The malicious DLL may then be loaded.

Fix and workaround
Microsoft mentions that this flaw cannot be fixed in Windows without "Breaking expected functionality". It is because there are many applications that are written to search for their library based only on the file name, rather than the full directory path.

But Microsoft did provide some workaround such as disable loading of libraries from WebDAV and remote network shares. For more details, refer to the Microsoft Security Advisory (226937)

Related reports:
- The Register: Microsoft confirms code-execution bug in Windows apps

- Dark Reading: Microsoft Issues Advisory On New DLL Hijacking Attack

No comments: