New DLL injection attack in Windows

Microsoft had release an advisory on the vulnerability in Windows applications that allows attacker to execute malicious code remotely on victim's system.

Some exploits were found attacking third party applications. Microsoft is currently investigating whether any of their applications are susceptible to this DLL injection attack.

Many friends are asking me about this vulnerability. I think it will be good to explain in more details and share with everyone here.

The root cause of this vulnerability is the loading of dynamic libraries (DLL), which is the behavior and design of Windows. To better understand, you will need to know how DLL is used in Windows.

Windows provides a lot of DLL, which allow programmers to use functions from those DLL in their applications. Normally application load their libraries from the current working directory. But if the DLL is not found, there will be a search order that windows will perform.

Search order:
1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable.

If multiple directories hold a DLL with the same name, the first match be used.

So attacks exploit the weakness in the way windows search and load associated DLL. This DLL can be located in various directories, which include network paths that is controlled by the attacker. The malicious DLL may then be loaded.

Fix and workaround
Microsoft mentions that this flaw cannot be fixed in Windows without "Breaking expected functionality". It is because there are many applications that are written to search for their library based only on the file name, rather than the full directory path.

But Microsoft did provide some workaround such as disable loading of libraries from WebDAV and remote network shares. For more details, refer to the Microsoft Security Advisory (226937)

Related reports:
- The Register: Microsoft confirms code-execution bug in Windows apps

- Dark Reading: Microsoft Issues Advisory On New DLL Hijacking Attack

XSS found in Linkbucks.com

Linkbucks.com website was found to be vulnerable to Cross Site Scripting(XSS) vulnerability, which could be exploited using malicious scripts.



Vulnerability Description:
==================
Linkbucks.com is a famous advertising network site that brings web users, websites and marketers together. The XSS vulnerability is found in the Default.aspx page. Script can be injected to the Message and Returnurl parameters. This can be exploited by injecting arbitrary HTML and malicious script code, which will execute in a user's browser session. Unvalidated redirection and forwarding is also possible.

Vulnerability testing:
===============
Vulnerable URL: http://www.linkbucks.com/Default.aspx?
Tested with: Firefox 3.5 and Internet Explorer 7 on Windows XP SP3

A simple "alert("You are hACked by w01f")" script was injected to the "Default" page. It was executed and display on the web browser. Malicious script could be executed using this method.



Below is the video demonstration on exploiting the XSS vulnerability using redirection. It will redirect to my blog. Hacker can redirect to a spoofed Linkbucks site with malicious code.



Remediation:
==========
The Message and ReturnURL parameters need to be properly sanitized after a user's logging out. The Linksbuck support team was contacted on the vulnerability. The support ticket is "#KHT-97974-227" but so far no fixed was done.