DLL Hijacking

Hoy vamos a hablar de la vulnerabilidad de DLL Hijacking que se empezó a dilucir en el año 2000 por Georgi Guninski y que ha saltado recientemente a la palestra debido a la publicación de los artículos de Moore (el creador de Metasploit): Exploiting DLL Hijacking Flaws y su kit para encontrar aplicaciones vulnerables Better, Faster, Stronger: DLLHijaAuditKit v2.

Esta vulnerabilidad afecta a numerosas o quizás a la mayoría de las aplicaciones de Windows debido a que utilizan métodos inseguros para cargar DLLs (Dynamically Linked Libraries).

Cuando una aplicación mediante LoadLibrary() o LoadLibraryEx() intenta cargar funciones adicionales enlazando en tiempo real con una librería dinámica y no se especifica su ruta completa, Windows define como primer orden de búsqueda de la DLL el directorio actual del proceso: http://msdn.microsoft.com/en-us/library/ms682586%28v=VS.85%29.aspx.

Si un usuario abre un fichero legítimo mediante una aplicación afectada y en el mismo directorio se encuentra una DLL maliciosa (renombrada como la original), un atacante podría conseguir la ejecución de código arbitrario a través de la carga de esa librería modificada.

Veamos un ejemplo. Imaginemos que un atacante comparte un recurso en red en el que sitúa un video multimedia y una DLL maliciosa simulando tratarse de un códec. Cuando la víctima intenta reproducir el archivo, su media player no reconoce el formato del fichero e intenta cargar un códec desde el mismo directorio. En ese intento de reproducir el archivo, el reproductor cargará la DLL maliciosa y ejecutará el código del atacante.

Ahora buscar en Exploit Database y encontraréis "exploits dllhijacking" para aplicaciones como Power Point, Firefox, Visio, Adobe, Winamp, Google Earth, Photoshop, uTorrent, Wireshark, Acunetix, etc, etc, etc. Con esto podemos hacernos una idea de la facilidad de explotación de esta vulnerabilidad actualmente, así como los vectores de ataque existentes: SMB, ZIPs, WebDAV, pendrives...

¿Y qué podemos hacer para defendernos contra el DLL Hijacking? Pues nosotros recomendamos sobretodo modificar el comportamiento el algoritmo de ruta de búsqueda del archivo DLL que utilizan LoadLibrary y LoadLibraryEx mediante la clave de registro CWDIllegalInDllSearch (http://support.microsoft.com/kb/2264107).

Mientras esperaremos que los distintos fabricantes vayan parcheando sus aplicaciones ;-) (Microsoft ha publicado las guías para desarrolladores Dynamic-Link Library Security y Another technique for Fixing DLL Preloading attacks)
.

En resumen y para concluir, hablamos de una vulnerabilidad crítica debido a que:
  • afecta a un gran y todavía desconocido número de aplicaciones
  • su explotación es relativamente fácil o muy fácil y podría comprometer el sistema afectado (más aún si la aplicación vulnerable se ejecuta con un usuario con permisos administrativos)
  • cada aplicación debe ser parcheada individualmente por cada fabricante
Por último os dejo también un buen número de referencias por si queréis investigar más, y la lista sigue y sigue aumentando...

  1. http://seclists.org/bugtraq/2010/Aug/210
  2. http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt
  3. http://support.apple.com/kb/HT4105
  4. http://www.apple.com/itunes/
  5. http://www.apple.com/itunes/download
  6. http://secunia.com/advisories/39135
  7. http://www.microsoft.com/technet/security/advisory/2269637.mspx
  8. http://securitytracker.com/id?1024355
  9. http://www.exploit-db.com/exploits/14721
  10. http://www.exploit-db.com/exploits/14723
  11. http://www.exploit-db.com/exploits/14726
  12. http://xforce.iss.net/xforce/xfdb/61321
  13. http://osvdb.org/67329
  14. http://xforce.iss.net/xforce/xfdb/61223
  15. http://www.securityfocus.com/bid/42541
  16. http://www.theregister.co.uk/2010/08/20/windows_code_execution_vuln/
  17. http://www.exploit-db.com/exploits/14731
  18. http://www.exploit-db.com/exploits/14730
  19. http://www.exploit-db.com/exploits/14728
  20. http://secunia.com/advisories/41098
  21. http://www.vupen.com/english/advisories/2010/2173
  22. http://www.exploit-db.com/exploits/14755
  23. http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-22696...
  24. http://secunia.com/advisories/41124
  25. http://www.exploit-db.com/exploits/14764
  26. http://secunia.com/advisories/41094
  27. http://secunia.com/advisories/41119
  28. http://www.exploit-db.com/exploits/14753
  29. http://www.exploit-db.com/exploits/14752
  30. http://www.exploit-db.com/exploits/14749
  31. http://www.exploit-db.com/exploits/14740
  32. http://www.exploit-db.com/exploits/14735
  33. http://secunia.com/advisories/41110
  34. http://www.vupen.com/english/advisories/2010/2171
  35. http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.ht...
  36. http://secunia.com/advisories/41060
  37. http://www.vupen.com/english/advisories/2010/2170
  38. http://www.exploit-db.com/exploits/14741
  39. http://www.exploit-db.com/exploits/14743
  40. http://secunia.com/advisories/41109
  41. http://www.vupen.com/english/advisories/2010/2175
  42. http://www.exploit-db.com/exploits/14739
  43. http://secunia.com/advisories/41107
  44. http://www.exploit-db.com/exploits/14750
  45. http://www.vupen.com/english/advisories/2010/2172
  46. http://secunia.com/advisories/41112
  47. http://www.exploit-db.com/exploits/14734
  48. http://www.vupen.com/english/advisories/2010/2174
  49. http://www.exploit-db.com/exploits/14747
  50. http://www.exploit-db.com/exploits/14756
  51. http://secunia.com/advisories/41083
  52. http://www.exploit-db.com/exploits/14732
  53. http://www.vupen.com/english/advisories/2010/2167
  54. http://secunia.com/advisories/41064
  55. http://www.vupen.com/english/advisories/2010/2165
  56. http://www.exploit-db.com/exploits/14748
  57. http://secunia.com/advisories/41051
  58. http://www.vupen.com/english/advisories/2010/2164
  59. http://www.exploit-db.com/exploits/14744
  60. http://www.exploit-db.com/exploits/14746
  61. http://secunia.com/advisories/41104
  62. http://www.kb.cert.org/vuls/id/707943
  63. http://packetstormsecurity.org/1008-exploits/bloodshed-hijack.txt
  64. http://packetstormsecurity.org/1008-exploits/wscript-dllhijack.txt
  65. http://www.exploit-db.com/exploits/14794
  66. http://packetstormsecurity.org/1008-exploits/putty-dllhijack.txt
  67. http://www.exploit-db.com/exploits/14796
  68. http://packetstormsecurity.org/1008-exploits/teammate-dllhijack.tgz
  69. http://secunia.com/advisories/41103
  70. http://packetstormsecurity.org/1008-exploits/safari501-dllhijack.txt
  71. http://packetstormsecurity.org/1008-exploits/opera_dll_hijacking.c
  72. http://packetstormsecurity.org/1008-exploits/skype.c
  73. http://www.exploit-db.com/exploits/14766
  74. http://www.vupen.com/english/advisories/2010/2197
  75. http://packetstormsecurity.org/1008-exploits/ettercap-dllhijack.txt
  76. http://www.exploit-db.com/exploits/14762
  77. http://www.vupen.com/english/advisories/2010/2189
  78. http://packetstormsecurity.org/1008-exploits/snagit-dllhijack.tgz
  79. http://secunia.com/advisories/41168
  80. http://secunia.com/advisories/41151
  81. http://www.exploit-db.com/exploits/14783
  82. http://www.vupen.com/english/advisories/2010/2201
  83. http://packetstormsecurity.org/1008-exploits/thunderbird-dllhijack.txt
  84. http://secunia.com/advisories/41131
  85. http://packetstormsecurity.org/1008-exploits/adobe_indesign_cs4.c
  86. http://www.exploit-db.com/exploits/14775
  87. http://secunia.com/advisories/41126
  88. http://packetstormsecurity.org/1008-exploits/adobe_illustrator_cs4.c
  89. http://www.exploit-db.com/exploits/14773
  90. http://secunia.com/advisories/41134
  91. http://www.vupen.com/english/advisories/2010/2198
  92. http://packetstormsecurity.org/1008-exploits/adobe_on_location.c
  93. http://www.exploit-db.com/exploits/14772
  94. http://packetstormsecurity.org/1008-exploits/adobe_premier_pro_cs4.c
  95. http://www.exploit-db.com/exploits/14771
  96. http://secunia.com/advisories/41118
  97. http://www.vupen.com/english/advisories/2010/2196
  98. http://packetstormsecurity.org/1008-exploits/adobe_device_central_cs5....
  99. http://packetstormsecurity.org/1008-exploits/adobedc_dll.txt
  100. http://www.exploit-db.com/exploits/14784
  101. http://packetstormsecurity.org/1008-exploits/adobeem_dll.txt
  102. http://www.exploit-db.com/exploits/14785
  103. http://packetstormsecurity.org/1008-exploits/adobeest_dll.txt
  104. http://packetstormsecurity.org/1008-exploits/Adobe-rdr9-dll-hijack.cpp
  105. http://secunia.com/advisories/41114
  106. http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4956.php
  107. http://secunia.com/advisories/41136
  108. http://www.vupen.com/english/advisories/2010/2200
  109. http://packetstormsecurity.org/1008-exploits/msgc-dllhijack.tgz
  110. http://www.exploit-db.com/exploits/14758
  111. http://www.exploit-db.com/exploits/14770
  112. http://packetstormsecurity.org/1008-exploits/mswpg-dllhijack.txt
  113. http://secunia.com/advisories/41122
  114. http://packetstormsecurity.org/1008-exploits/windowsics-dllhijack.txt
  115. http://www.exploit-db.com/exploits/14778
  116. http://packetstormsecurity.org/1008-exploits/mswc-dllhijack.txt
  117. http://www.vupen.com/english/advisories/2010/2188
  118. http://packetstormsecurity.org/1008-exploits/msog-dllhijack.tgz
  119. http://www.exploit-db.com/exploits/14782
  120. http://packetstormsecurity.org/1008-exploits/msopp-dllhijack.txt
  121. http://packetstormsecurity.org/1008-exploits/mspowerp_dll.txt
  122. http://packetstormsecurity.org/1008-exploits/msvisio-dllhijack.tgz
  123. http://www.vupen.com/english/advisories/2010/2192
  124. http://packetstormsecurity.org/1008-exploits/bitlocker-dllhijack.tgz
  125. http://packetstormsecurity.org/1008-exploits/msab-dllhijack.tgz
  126. http://www.exploit-db.com/exploits/14768
  127. http://secunia.com/advisories/41137
  128. http://packetstormsecurity.org/1008-exploits/roxiomydvd-dllhijack.txt
  129. http://www.exploit-db.com/exploits/14781
  130. http://packetstormsecurity.org/1008-exploits/roxiops-dllhijack.tgz
  131. http://www.vupen.com/english/advisories/2010/2193
  132. http://packetstormsecurity.org/1008-exploits/roxiocreator-dllhijack.tx...
  133. http://packetstormsecurity.org/1008-exploits/coreldrw_dll.txt
  134. http://www.exploit-db.com/exploits/14786
  135. http://packetstormsecurity.org/1008-exploits/corelpp_dll.txt
  136. http://www.exploit-db.com/exploits/14787
  137. http://www.vupen.com/english/advisories/2010/2194
  138. http://secunia.com/advisories/41092
  139. http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
  140. http://www.vupen.com/english/advisories/2010/2199
  141. http://www.vupen.com/english/advisories/2010/2190
  142. http://packetstormsecurity.org/1008-exploits/mediaplayerclassic-dllhij...
  143. http://packetstormsecurity.org/1008-exploits/mplayerc_dll.txt
  144. http://packetstormsecurity.org/1008-exploits/nvidia-dllhijack.txt
  145. http://packetstormsecurity.org/1008-exploits/demontoollite-dllhijack.t...
  146. http://packetstormsecurity.org/1008-exploits/googlee_dll.txt
  147. http://www.exploit-db.com/exploits/14765
  148. http://www.exploit-db.com/exploits/14788
  149. http://www.exploit-db.com/exploits/14769
  150. http://www.exploit-db.com/exploits/14791
  151. http://www.exploit-db.com/exploits/14790
  152. http://secunia.com/advisories/41093
  153. http://www.vupen.com/english/advisories/2010/2195
  154. http://packetstormsecurity.org/1008-exploits/winamp_dll.txt
  155. http://www.exploit-db.com/exploits/14789
  156. http://osvdb.org/67530
  157. http://osvdb.org/67531
  158. http://osvdb.org/67532
  159. http://osvdb.org/67533
  160. http://osvdb.org/67534
  161. http://osvdb.org/67535
  162. http://www.vupen.com/english/advisories/2010/2213
  163. http://www.vupen.com/english/advisories/2010/2212
  164. http://www.vupen.com/english/advisories/2010/2211
  165. http://www.vupen.com/english/advisories/2010/2210
  166. http://www.vupen.com/english/advisories/2010/2209
  167. http://www.vupen.com/english/advisories/2010/2208
  168. http://osvdb.org/67494
  169. http://osvdb.org/67499
  170. http://osvdb.org/67482
  171. http://osvdb.org/67492
  172. http://osvdb.org/67481
  173. http://osvdb.org/67497
  174. http://osvdb.org/67496
  175. http://osvdb.org/67484
  176. http://osvdb.org/67480
  177. http://osvdb.org/67479
  178. http://osvdb.org/67478
  179. http://packetstormsecurity.org/1008-exploits/intervideo-dllhijack.txt
  180. http://packetstormsecurity.org/1008-exploits/vlcmp-dllhijack.txt
  181. http://packetstormsecurity.org/1008-exploits/acunetix-dllhijack.txt
  182. http://packetstormsecurity.org/1008-exploits/utorrent-dllhijack.tgz
  183. http://packetstormsecurity.org/1008-exploits/utorrent-dllhijack.txt
  184. http://packetstormsecurity.org/1008-exploits/wireshark-dllhijack.txt
  185. http://packetstormsecurity.org/1008-exploits/mspp-dllhijack.txt
  186. http://packetstormsecurity.org/1008-exploits/windowsliveemail-dllhijac...
  187. http://packetstormsecurity.org/1008-exploits/firefox368-dllhijack.txt
  188. http://packetstormsecurity.org/1008-exploits/mswinmm-dllhijack.txt
  189. http://packetstormsecurity.org/1008-exploits/msicsw-dllhijack.txt
  190. http://packetstormsecurity.org/1008-exploits/opera-dllhijack.txt
  191. http://packetstormsecurity.org/1008-exploits/ms7wab-dllhijack.txt
  192. http://packetstormsecurity.org/1008-exploits/teamviewer-dllhijack.txt
  193. http://packetstormsecurity.org/1008-exploits/adobedwcs4-dllhijack.txt
  194. http://packetstormsecurity.org/1008-exploits/adobedwcs5-dllhijack.txt
  195. http://packetstormsecurity.org/1008-exploits/adobepscs2-dllhijack.txt
  196. http://packetstormsecurity.org/1008-exploits/bsplayer-dllhijack.txt
  197. http://packetstormsecurity.org/1008-exploits/avastlf-dllhijack.txt
  198. http://secunia.com/advisories/41174
  199. http://secunia.com/advisories/41142
  200. http://secunia.com/advisories/41156
  201. http://secunia.com/advisories/41146
  202. http://osvdb.org/67501
  203. http://extraexploit.blogspot.com/2010/08/dll-hijacking-my-test-cases-o...
  204. http://osvdb.org/67502
  205. http://osvdb.org/67500
  206. http://osvdb.org/67498
  207. http://osvdb.org/67495
  208. http://osvdb.org/67493
  209. http://osvdb.org/67503
  210. http://packetstormsecurity.org/1008-exploits/powerpoint2007-DLL.c
  211. http://packetstormsecurity.org/1008-exploits/msvisio_dll.txt
  212. http://osvdb.org/67504
  213. http://www.exploit-db.com/exploits/14816
  214. http://packetstormsecurity.org/1008-exploits/quicktime_pictureviwer_dl...
  215. http://packetstormsecurity.org/1008-exploits/Nero_dllhijack_exploit.ra...
  216. http://packetstormsecurity.org/1008-exploits/Microstation_dllhijact_ex...
  217. http://packetstormsecurity.org/1008-exploits/wlm-dll-hijack.cpp
  218. http://packetstormsecurity.org/1008-exploits/wlmmsgsres-dll-hijack.cpp

Comentarios