DLL HiJacking… And now what?!?

Righard Zwienenberg August 26, 2010

Blog tags: General security, New trends, Malware, Vulnerabilities / Exploits

Lots have been written already about it, so I will keep it short on what it exactly involves.
Basically, whenever an application wants to load a DLL, it can do that absolute (using a full pathname as “c:\windows\system32\dllname.dll”) or relative (“dllname.dll”). In the latter case, Windows will search through the predefined set of directories to locate and load the requested DLL.

Taken from David LeBlanc’s blog, the sequence is:

The directory from which the application loaded.
The current directory.
The system(32) directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that retrieves the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The directories that are listed in the PATH environment variable.

When the current directory is set to a directory that is controlled by malware, the requested DLL will actually be loaded from that directory rather than the (normal) \windows\system32 directory.

Basically it boils down to bad programming, but that will not help anyone right now. Lots of sourcecode will have to be re-evaluated to see if it the applications compiled from it will be vulnerable to this attack.

The Exploit DataBase is keeping track of all exploits that are found for popular applications. Please check if your popular application is amongst them here...

The best advice we can give your right now is not to allow DLL’s from shared devices and through WebDAV. If this is too cumbersome or will not work in your environment, another possibility is to follow Microsoft’s quick fix to alter the register, preventing DLL’s to be loaded from the working directory or through WebDAV. However, you may want to check the discussion on SANS beforehand as there is a growing list of applications that do not seem to work anymore after changing the registry.

Add comment

If you find the content of this comment offensive, you can report it and our crew will have a look at it

Comments

91781

Spam (10)

Vulnerabilities / Exploits (33)

Blog archive

August 2011 (1)

June 2011 (1)

May 2011 (2)

April 2011 (5)

March 2011 (5)

February 2011 (4)

January 2011 (11)

December 2010 (8)

November 2010 (5)

October 2010 (3)

September 2010 (5)

August 2010 (5)

July 2010 (3)

June 2010 (12)

May 2010 (5)

April 2010 (2)

March 2010 (2)

February 2010 (1)

January 2010 (2)

December 2009 (1)

October 2009 (5)

September 2009 (4)

August 2009 (1)

June 2009 (1)

May 2009 (3)

April 2009 (2)

March 2009 (8)

February 2009 (4)

January 2009 (2)

November 2008 (6)

October 2008 (5)

RSS FEEDS

Latest Security articles

Latest Blog items