Overview
Some applications for Microsoft Windows may use unsafe methods for determining how to load DLLs. As a result, these applications can be forced to load a DLL from an attacker-controlled source rather than a trusted location.
Description
Dynamically Linked Libraries (DLLs) are executable software components that are incorporated into a program at run-time rather than when the program is compiled and linked. Functions included in these libraries can be loaded in different ways by an application. In the case of run-time dynamic linking, a module uses the LoadLibrary() or LoadLibraryEx() functions to load the DLL at run time. If the location of the DLL to be loaded is not specified (such as specifying a fully qualified path name) by the application, Microsoft Windows defines an order in which directories are searched for the named DLL. By default, this search order contains the current directory of the process. If an attacker can cause an affected application to call LoadLibrary() while the application's current directory is set to one controlled by the attacker, that application may run the attacker's code from a specially named DLL also supplied in that directory. This can occur when the affected application opens a normal file typically associated with it from the attacker-controlled directory. The specific name of the DLL that an attacker would need to choose varies depending on the affected application. |
Impact
A remote, unauthenticated attacker with the ability to supply a malicious DLL may be able to execute arbitrary code on a vulnerable system. In the most likely exploit scenario, an attacker could host this malicious DLL on a USB drive or network share. The attacker-supplied code would be run with the privileges of the user of the affected application. |
Solution
Apply a patch from the vendor |
For Administrators: Note This workaround requires installation of the tool described in Microsoft Knowledge Base Article 2264107. Microsoft has released a tool which allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis. Customers who are informed by their vendor of an application being vulnerable can use this tool to help protect against attempts to exploit this issue.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "CWDIllegalInDllSearch"=dword:ffffffff Disable the WebClient service According to Microsoft Security Advisory 2269637: Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet. To disable the WebClient Service, follow these steps:
While this workaround does not remove the vulnerability, it does block an attack vector for this vulnerability. Block outgoing SMB traffic Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will help prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block an attack vector for this vulnerability. |
Vendor Information
This list is known to be incomplete. |
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:F/RL:TF/RC:ND |
| Environmental | 0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- http://www.cert.org/blogs/vuls/2008/09/carpet_bombing_and_directory_p.html
- http://blog.mandiant.com/archives/1207
- http://msdn.microsoft.com/en-us/library/Aa297182
- http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html
- http://msdn.microsoft.com/en-us/library/ms684175%28VS.85%29.aspx
- http://www.acrossecurity.com/aspr/ASPR-2010-04-12-1-PUB.txt
- http://www.acrossecurity.com/aspr/ASPR-2010-04-12-2-PUB.txt
- http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt
- http://www.securityfocus.com/bid/1699/discuss
- http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
- http://blog.rapid7.com/?p=5325
- http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
- https://www.microsoft.com/technet/security/advisory/2269637.mspx
- http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
- http://blogs.msdn.com/b/david_leblanc/archive/2010/08/23/another-technique-for-fixing-dll-preloading-attacks.aspx
- http://support.microsoft.com/kb/2264107
- http://www.guninski.com/officedll.html
Acknowledgements
Instances and variations of this vulnerability were independently discovered by a number of researchers, including Georgi Guninski; Simon Raner, Jure Skofic and Mitja Kolsek of ACROS Security; Taeho Kwon and Zhendong Su; H.D. Moore. Some vendor information comes from Secunia.
This document was written by Chad R Dougherty.
Other Information
| CVE IDs: | CVE-2010-1795 |
| Severity Metric: | 64.13 |
| Date Public: | 1998-03-18 |
| Date First Published: | 2010-08-25 |
| Date Last Updated: | 2016-10-13 14:01 UTC |
| Document Revision: | 63 |