Date: Tue, 31 Aug 2010 17:18:39 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Charles Morris <cmorris@...odu.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking with Autorun on a USB drive

You've written exactly what I was thinking....except considering the
big brains discussing this, I didn't deem the email worth a nickel.

But now I thought, well, why not express this concern?
Considering the "DOS via popups" (or "DOS in IE6") which we've been
having increasingly as of late, I really don't want myriad "me too"
dll injection "exploits".


Cheers.




On Tue, Aug 31, 2010 at 5:12 PM, Charles Morris <cmorris@...odu.edu> wrote:
> On Fri, Aug 27, 2010 at 11:27 AM, matt <matt@...ackvector.org> wrote:
>> Dan,
>> While I agree with most of what you're saying, I do find this to be a pretty
>> serious issue, and here's why.
>> 1) The file doesn't have to be fake.  It could be a legitimately real ppt,
>> vcf, eml, html, whatever.  The program(s) load the rogue DLL file and there
>> doesn't seem to be any major impact on the functionality of the software,
>> meaning that the end user wouldn't know that there was something hostile
>> taking place.  The file opens, they can view it, modify it, whatever, and
>> all the features seem to work.  Perception is reality.
>> 2) This opens the door for more widespread attacks.  In the case of
>> PowerPoint, one could simply find a share on a network that contains a large
>> amount of ppt files and save his/her rogue DLL file in that directory.
>>  Then, whenever anyone opens one of the files, the attacker gets immediate
>> access to the victims PC without the victim having any idea.
>> 3) People are getting smarter and do view .exe's as threats.  Yes, because
>> of the fact that extensions are usually hidden and that you can modify the
>> icon to be whatever you want it to, it's trivial to trick an end user into
>> clicking on just about anything.  However.. if I pass out my Power Point
>> presentation on a USB stick at a business meeting that has legitimate
>> content, no one is going to have any clue that anything else took place.
>>  There's also very little risk of detection, because you don't have to worry
>> about that one user who doesn't have extensions hidden, or someone noticing
>> that the icon looks funny, or different.  It simply makes for a more
>> stealthy attack.
>> To be honest, the whole DLL hijacking concept reminds me a lot of the old
>> temp race "vulnerabilities" from back in the day.  Is it really a
>> "vulnerability" in the true sense of the word?  Not really.. it's taking
>> advantage of a series of events and being first to cross the finish line.
>>  But, I believe that because we can get the system to execute arbitrary code
>> (OUR arbitrary code), this really does present a serious problem, just like
>> the old temp race conditions did.
>> Anyway, I appreciate the feedback.. and yes, ultimately I agree that
>> invoking this through Autorun is probably, for the most part, useless, but I
>> was asked if it was possible and I honestly wasn't sure that it would be,
>> which is why I wrote the post after I found out that it was.
>> - matt
>> www.attackvector.org
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> I'm going to be honest here, I see this whole "DLL Hijacking" thing as
> a non-issue. It's a known behavior. Don't run applications from
> untrusted locations- because then you can't trust the application- not
> just the DLLs it loads.
>
> We aren't in the UNIX world here, yes windows may have fine-grained
> permissions but with the bubbly/stupid GUI from Vista onward.. I'm not
> even sure how to use them off-hand- so I know for a fact
> random-user-sixpack can't do it. You can't just casually glance at a
> file on a random network share and know that nobody has been
> manipulating it; and it's stupid to think otherwise.
>
> Do you run random executables from flashdrives you find on the floor?
> Even if it has a solitaire icon? No.
>
> If there was a setuid root executable that gave you a nice game of
> solitaire over X, while running any script at /tmp/runme.dll^H^H^Hsh -
> would you call this a vulnerability or a horrible design choice?
> Especially so when it's -clearly- documented that it runs said script?
>
> And yes, the first thing to do on a windows desktop is to disable
> crappy menu fades, UAC, and "hide extensions";
> along with a slew of other garbage. I normally spend two hours in MMC
> as soon as it's up. It's time for others to do the same.
>
> If you want to "fix" this, you may of course implement signed DLLs,
> but then you get the issue of signed DLLs. It would just turn out to
> be another UAC or MS-Maintained "SSL Authority List".
>
> I suppose it would be nice if an application would compare a checksum
> of a DLL to a hardcoded value before it loaded it, but then you get
> the issue of newer (but fully compatible) DLL versions having
> different checksums, etc, etc. It's just a mess caused by stupid
> design by Microsoft.
>
> Now, if there was a way to move a CWD of a more-privileged-user
> process to a less-privileged-adversary defined directory before
> loading a given DLL, that would be a real vulnerability.
>
>> the old
>> temp race "vulnerabilities" from back in the day.  Is it really a
>> "vulnerability" in the true sense of the word?  Not really..
>
> Oh, and, race conditions are real vulnerabilities. There is no
> question/argument on this.
>
> Cheers,
> Charles
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists