lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTi=GdzcDnZkctBPreuXCK5RMYOGWYuw1Bme3AooH@mail.gmail.com>
Date: Thu, 2 Sep 2010 15:17:52 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: p8x <l@....net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking POC (failed, see for yourself)

Yes, I've found it too.





On Thu, Sep 2, 2010 at 12:05 PM, p8x <l@....net> wrote:
> Hi Christian,
>
> I noticed MS pushed out an update a couple of days ago - on the PC's
> that have had the update applied the POC does not work for me, where as
> an unpatched machine the POC works.
>
> Has that update been installed?
>
> p8x
>
> On 2/09/2010 7:43 AM, Christian Sciberras wrote:
>> I wrote my own example POC.
>>
>> The files described herein can be found at:
>> http://www.megafileupload.com/en/file/264741/DHPOC-zip.html
>>
>> The above zip files contains: binaries, sources, example (folder structure)
>>
>> The source code is in Pascal, written in Lazarus to be precise.
>>
>> There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll
>> The 2 dlls are renamed to dhpocDll.dll during tests (the example structure):
>>
>> DHPOC\example\the-install-folder\
>> DHPOC\example\the-install-folder\dhpocApp.exe
>> DHPOC\example\the-install-folder\dhpocDll.dll
>> DHPOC\example\the-remote-folder
>> DHPOC\example\the-remote-folder\example.dhpoc
>> DHPOC\example\the-remote-folder\dhpocDll.dll
>>
>> While testing this, I noticed that the dll hijack exploit completely
>> failed my tests (on Windows 7 64bit).
>> That is, the dll inside the-remote-folder was never loaded, that is,
>> even when example.dhpoc was opened.
>> Also not that in order to fully test it out, I also chdir'd to the
>> target file directory, ie, the-remote-folder; to no avail.
>>
>> The only way I got it working was by renaming/deleting dhpocDll.dll in
>> the-install-folder to something else, in which case running
>> dhpocApp.exe failed while opening example.dhpoc caused the bad dll to
>> load.
>>
>> Finally, I tried testing the zip issue mentioned lately.
>>
>> With everything set up correctly (zipped the-remote-folder and
>> the-install-folder uncompressed), it worked as expected, ie the good
>> dll was loaded.
>> After removing the dll from the-install-folder, the program ceased to
>> work correctly, ie, it neither loaded the zipped dll nor could it load
>> the initial dll.
>>
>>
>>
>>
>> I ran these tests and wrote this code under an hour, so I can
>> guarantee there might be serious flaws around, or things which I
>> should have tested but didn't.
>> So far, I've ran these tests twice, so unless I've got a software
>> fault (which somehow made the software secure?!), this dll hijack
>> issue is either a thing of the best, pretty rare, or, pretty much
>> useless (consider the recent POC where the user was required to open a
>> contact book several before it hopefully worked...).
>>
>>
>>
>> Cheers,
>> Christian Sciberras.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ