[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <56E05D8D.1080006@securify.nl>
Date: Wed, 9 Mar 2016 18:29:49 +0100
From: "Securify B.V." <lists@...urify.nl>
To: Stefan Kanthak <stefan.kanthak@...go.de>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Windows Mail Find People DLL side loading vulnerability
Hi Stefan,
See below.
On 09-03-16 12:48, Stefan Kanthak wrote:
> "Securify B.V." wrote:
>
>> ------------------------------------------------------------------------
>> Windows Mail Find People DLL side loading vulnerability
>> ------------------------------------------------------------------------
>> Yorick Koster, September 2015
> This vulnerability demonstrates Microsoft's terrible SLOPPY coding
> horror^Wpractice: it needs two mistakes to create this kind of bug!
>
> "%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
> a resource DLL, which means that it contains no code, but only
> (localized) resources, and SHOULD (better: MUST) be loaded via
> LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
> to avoid the call of its DllMain() startup code!
> See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
>
> JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!
>
> Either
> LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
> or
> LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
> were sufficient to avoid this vulnerability.
>
>> ------------------------------------------------------------------------
>> Fix
>> ------------------------------------------------------------------------
>> Microsoft released MS16-025 that fixes this vulnerability.
> Have you checked how Microsoft fixed it?
> Did they exercise all due diligence now, practised defense in depth
> and replaced the call to
> LoadLibrary("wab32res.dll")
> with a call to
> LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?
They still use LoadLibrary() to load wab32res.dll. Previously, the
fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended
wab32res.dll to the result, which was fed into LoadLibrary().
With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By
default DLLPath is set to %CommonProgramFiles%\System\wab32.dll,
PathRemoveFileSpec() removes wab32.dll from the path. They also call
ExpandEnvironmentStrings(), but that was also the case previously.
With kind regards,
Yorick
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists