Microsoft offers advisory and mitigation for binary planting flaw
by Steve Ragan - Aug 24 2010, 16:30Microsoft released an advisory on Monday, offering enterprise customers guidance when addressing a security problem that has existed for nearly 10 years.
Called binary planting, the DLL (Dynamic Link Library) hijacking vulnerability opens systems up to attack by simply having any one of the hundreds of vulnerable Windows applications installed on their systems.
While the DLL hijacking story has gained traction over the last week, it was initially disclosed 34 months ago, in 2000 by researcher Georgi Guninski. While the flaw is old, how it works has remained the same for the most part.
The non-technical explanation given then by Guninski still rings true to this day:
“The search algorithm used to locate DLL files specifies that the current working directory is checked before the System folders. If a trojaned DLL can be inserted into the system in an arbitrary location, and a predictable executable called with the same current working directory, the trojaned DLL may be loaded and executed,” Guninski said in his September 2000 disclosure [source].
Fast forward to today and the “biggest difference is that the new issues mostly apply to applications where the hijacked DLL does not exist in the system directory (application-specific libraries),” explained HD Moore, Rapid7’s CSO and chief architect of the Metasploit project.
When Moore went public, he commented that roughly 40 Windows applications were vulnerable to DLL hijacking. Around the same time, application security consultancy ACROS Security published a disclosure that claimed the number was much higher, as it had discovered 200 applications vulnerable to this type of attack.
ACROS started looking into the DLL hijacking in 2008, and when it tested 220 different applications, it was expecting minor findings, not a vulnerability rate of 90 percent.
“And when I say 'vulnerable', I mean vulnerable to remote execution in a real-world scenario, without having any privileges on the user's computer.” ACROS CEO Mitja Kolsek commented in a company blog post.
ACROS isn't the only one to have discovered the issue, Aviv Raff reported it to Microsoft back in 2006, only to see it patched in 2009. Earlier this year, Taeho Kwon, a Ph.D. candidate at the University of California published a paper explaining that a large number of Windows applications were vulnerable due to how they load DLL files.
According to the paper, Office 2007 is vulnerable, as is Internet Explorer 8, Opera, Firefox, Adobe Reader, Foxit, Quick Time (which was recently patched against this flaw by Apple), and dozens of other applications.
Microsoft can’t issue patches, because doing so would break countless applications, smashing their functionality.
So it is no surprise to see Microsoft release an advisory, and offer some tips to deal with the issue, without actually releasing an official patch. What you get is a series of tools from 'KB 264107' [link] that introduce a new registry key called 'CWDIllegalInDllSearch', allowing users to control the DLL search path algorithm.
In addition to the KB article, Microsoft published Security Advisory 2269637, which explains other mitigations including blocking access to TCP port 139 and 445 [link]. In the meantime, Microsoft has said it will continue to work with researchers and the industry “to identify and address vulnerable applications.”
For his part, Moore has released a tool on Metasploit that will help identify vulnerable applications. You can get that from here. Additional information on the flaw from HD Moore can be found on the Rapid7 blog.
Comment on this Story