Microsoft (and others’) DLL Load Hijacking Bug – Remote Exploit Possible

Microsoft’s  security advisory that came out Monday is a bit vague on this bug, but the issue is a bit more serious matter and deserves security pro’s attention, especially if your company uses in-house applications.  MS KB is here.  The issue itself is not new, but recently published research that details remote attack vectors is.  

More in depth analysis and a good read about this issue, and confirmation of public exploit code can be found here.

Metasploit has a detection module and audit kit for this bug that can be used to discover applications that are vulnerable to unsecured DLL loading (and also exploit them). 

This bug, at the moment, requires users to open a file which has a bogus DLL in the same directory.  There are many applications that are vulnerable (both MS and 3rd party), but Microsoft is leaving it to these vendors and their own internal teams to release application specific updates.  Also, for the application to be vulnerable it must accept files as input.  I’m working on getting the list of known vulnerable applications.

The remote vector uses SMB which is hopefully blocked at your perimter, WebDAV is usally not, though.

Office documents with embedded content are another vector, as well as USB drives.

The KB above and this MS RD blog entry have an MS developed tool that will mitigate most of this threat.  It’s an optional download and will not be released by MS update. 

The SRD blog states that if users disable outbound SMB and kill the WebDAV client service on workstations they’re good to go (although the attack vector of locally hosted share or USB thumb drives will still persist), so it may be worthwhile looking at the MS fix tool.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s