[win32] DLL exploit. Hoe loadlibrary dan te gebruiken?

Na veel verwarring onder IT-professionals over hoe een eerste workaround van Microsoft werkte, heeft de Windows-maker een zogenaamde ‘fix it’-tool uitgegeven. Die werk alleen in combinatie met de eerdere workaround. De ‘fix it’-tool zorgt ervoor dat er geen DLL’s geladen kunnen worden van WebDAV of SMB shares. Dat zijn namelijk de meest waarschijnlijke richtingen waar aanvallen vandaan komen.

This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker. This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless, the flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory.

In practice, this flaw can be exploited by sending the target user a link to a network share containing a file they perceive as safe. iTunes, which was affected by this flaw until last week, is associated with a number of media file types, and each of these would result in a specific DLL being loaded from the same directory as the opened file. The user would be presented with a link in the form of \\server\movies\ and a number of media files would be present in this directory. If the user tries to open any of these files, iTunes would search the remote directory for one or more DLLs and then load these DLLs into the process. If the attacker supplied a malicious DLL containing malware or shellcode, its game over for the user.

If the string specifies a full path, the function searches only that path for the module.

If the string specifies a relative path or a module name without a path, the function uses a standard search strategy to find the module; for more information, see the Remarks.
.....
Do not use the SearchPath function to retrieve a path to a DLL for a subsequent LoadLibrary call. The SearchPath function uses a different search order than LoadLibrary and it does not use safe process search mode unless this is explicitly enabled by calling SetSearchPathMode with BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE. Therefore, SearchPath is likely to first search the user’s current working directory for the specified DLL. If an attacker has copied a malicious version of a DLL into the current working directory, the path retrieved by SearchPath will point to the malicious DLL, which LoadLibrary will then load.

Do not make assumptions about the operating system version based on a LoadLibrary call that searches for a DLL. If the application is running in an environment where the DLL is legitimately not present but a malicious version of the DLL is in the search path, the malicious version of the DLL may be loaded. Instead, use the recommended techniques described in Getting the System Version.

Anoniem: 50683 schreef op donderdag 02 september 2010 @ 14:21:
[...]
Zover ik weet wel, je kan zeggen:
+ LoadLibrary('algemenedll.d') => Windows gaat voor je zoeken.
+ LoadLibrary('c:\windows\system32\algemenedll.d') => window zoekt niet voor je.

quote: http://msdn.microsoft.com.../ms684175%28VS.85%29.aspx

The search path can be altered using the SetDllDirectory function. This solution is recommended instead of using SetCurrentDirectory or hard-coding the full path to the DLL.

[ Voor 6% gewijzigd door leuk_he op 02-09-2010 14:43 ]

MSalters schreef op donderdag 02 september 2010 @ 16:42:
simpel: LoadLibrary kijkt eerst in de directory waar je EXE staat. Het grootste deel van de applicaties laadt z'n DLLs uit die directory, en loopt daardoor geen risico.

Als iTunes dus z'n DLLs daar had neergezet, dan had LoadLibrary nooit naar de Current Working Directory gekeken. Ik vermoed echter dat iTunes ook op Windows de PATH variable gebruikt