Dynamic-Link Library Hijacking

Max RIVAL
www.siteofmax.com
rival@riseup.net
Abstract
The aim of this paper is to briefly discuss DLL
Hijacking vulnerabilities and the techniues used to
mitigate and fix them. This paper is aimed towards
people with a basic understanding of Dynamic!Link
Libraries and how they can be used in applications"
however provides certain points of information for
those who do not.
1. Introduction
Windows is statistically the most used Operating
System around with Windows ta!ing around ""# o$
users% &owe'er( this does not mean that Windows is
completely secure% )LL &i*ac!ing( also !nown as )LL
+reloading( is a $airly recent disco'ery $rom &%)%
Moore in ,-.- and although )LL hi*ac!ing is
considered a /ig topic( there aren0t a lot o$ resources
that detail /oth the e$$ects and the methods o$ de$ense
$or /oth users and de'elopers% )LL &i*ac!ing
Vulnera/ilities a$$ect a lot o$ /usiness applications and
so can /e o$ signi$icant importance to security
researchers and penetration testers% 1hese
'ulnera/ilities ha'e also /een !nown to /e $ound in
applications such as Windows Mo'ie Ma!er and
Windows Address 2oo! 3.4% In order to understand
)LL &i*ac!ing( you must understand how Windows
Applications $ind their )LL $iles i$ not gi'en a $ull
path%
2. Windows DLL
)ynamic5Lin! Li/raries are collections o$ data and
executa/le code that are used /y other applications and
)LL $iles% 1he main reasons $or using )LL $iles
instead o$ *ust putting the $unctions and data into the
executa/le itsel$ are to /oth ma!e it easier to update the
so$tware 6instead o$ re7uiring any user wishing to
update to re5download the entire executa/le( you0d only
need to re5download one or two small $iles% 8ou can
imagine how use$ul this is $or designers o$ games that
may need to /e $re7uently updated9 and to reduce
excess memory usage /y allowing the )LL $ile0s code
to /e shared /etween applications%
3. Windows DLL Searc !rder
+rogrammers o$ten don0t speci$y an a/solute path to
the )LL $ile they want to use% 1his would ha'e caused
the pro/lem o$ the )LL not /eing $ound and used(
howe'er Microso$t came up with the )ynamic5Lin!
Li/rary Search Order( which runs at the application0s
load time( to sol'e this issue% 2y de$ault( the $irst item
$ound is the item that is used% 1he search order is as
$ollows:
#bove$ Diagram of %indows DLL &earch. Depending
on settings or your '& version" sometimes the path
specified by lp(ath)ame *for example" from the
&etDllDirectory function+ is used instead of the
Directory of the #pplication. ,f &afeDll&earch-ode is
enabled" then the search order also differs so that
./urrent Directory0 comes fifth in the search order.
". #rinci$%es o& DLL Hijacking
;ow we understand how Windows goes a/out
searching $or the )LL $ile itsel$( we can understand
)LL hi*ac!ing% <or example( let0s say the application
re7uires $unctions%dll( a $ile that has not /een
speci$ied with an a/solute path( howe'er is located
within the System )irectory% An attac!er could place
)irectory o$ the Application
=urrent )irectory
System )irectory
.>5/it System )irectory
Windows )irectory
)irectories in +A1& 'aria/le
their own )LL $iles in an area accessed 2?<OR? the
systems directory 6such as the directory o$ the
application9% When a user opens the application( during
the )LL search process( it will disco'er the attac!er0s
$ile /e$ore it comes across the )LL in the Systems
)irectory and thus will load it instead( meaning any
malicious code $rom the attac!er will /e executed%
'. (inding DLL Hijacking )u%nerabi%ities
<inding the 'ulnera/ility in a program is the $irst
step in exploiting it% A good way to do this is to use
+rocess Monitor to see when the program executes a
search $or a )LL $ile% When +rocess Monitor is loaded
up( you can try to trigger a $unction $rom another )LL
or wait until one is triggered% A$ter this has /een done(
all that0s re7uired is to go to the <ilter menu and add
your $ilters% 2elow are the $ilters you should consider
using to ma!e your search a lot shorter:
'peration is 1uery'pen then ,nclude
(rocess )ame is vuln.exe then ,nclude
(ath contains .dll then ,nclude
I$ you $ind something that loo!s similar to this:
+ath Result
=:@Windows@SystemA,@'uln%dll ;AM? ;O1
<OB;)
=:@Windows@System@'uln%dll ;AM? ;O1
<OB;)
=:@Windows@'uln%dll ;AM? ;O1
<OB;)
1hen you ha'e most li!ely $ound a )LL hi*ac!ing
'ulnera/ility%
*. (inding &unction names &rom a DLL
In order to create a new )LL with malicious
content( we must $irst !now the $unction names that are
used in it% On Windows this can /e done with the
)BM+2I; utility% With )BM+2I; we can use the
C?D+OR1S option% 2elow is an example o$ the output
o$ an example )LL:
Dump of file /$2example.dll
3ile Type$ DLL
&ection contains the following exports for example
44444444 characteristics
53/67D83 time date stamp -on 9un 4: 7;$6<$5= <476
4.44 version
7 ordinal base
6 number of functions
6 number of names
ordinal hint >?# name
7 4 4444@A#4 outputBdata
< 7 4444@/54 showBinteger
6 < 4444;=54 addBintegers
&ummary
7444 ./>T
7444 .bss
7444 .data
7444 .edata
7444 .idata
7444 .rdata
7444 .reloc
=444 .text
7444 .tls
An alternati'e is the use o$ a de/ugger% )e/uggers can
show you plain text that is stored in the program% In our
case( we will /e a/le to see the name o$ any re$erenced
)LL $ile stored as plain text%
+. Writing DLL e,$%oits
Let0s *ump into the practical side o$ )LL &i*ac!ing%
Let0s say we ha'e a program that reads a particular
$ormat and uses the $ollowing segment o$ code to load
a )LL:
)LLE<IL? F LoadLi/rary6test%dll9G
1he $ollowing code is used to execute the outputEtext
$unction:
outputEtext F 6)LL+RO=9
Het+rocAddress6)LLE<IL?( outputEtext9G
A segment o$ the )LL code is as $ollows:
'oid outputEtext69
I
cout JJ All is going wellK@nG
returnG
L
<or this example we will assume the )LL $ile test%dll
is located in the Windows directory% As we ha'e not
speci$ied a $ull path( the search algorithm commences%
1he program $inds the )LL in the Windows directory
and executes the outputEtext $unction% 1he $ollowing is
output:
#ll is going wellC
We can create a new )LL $ile with the same $unction
name as $ollows:
'oid outputEtext69
I
cout JJ Something0s not right hereK@nG
returnG
L
I$ we place our new $ile in the same location as one o$ a
$ile the program is intended to open( when the
application is executed 'ia the $ile( the program will
search in the $older that has called the program /e$ore
the Windows directory% 8ou can imagine how much o$
an impact this 'ulnera/ility can ha'e% It0s unli!ely the
'ictim will pay much attention to a )LL $ile that comes
with their wanted $ile as they ha'e no reason to $ear it%
When the application loads the wanted $ile( it will also
load the attac!er0s )LL and execute the malicious
$unction%
-. Attacking a .ictim remote%y
A lot o$ people con$use )LL hi*ac!ing with
replacement( where the user would ha'e to replace the
original $ile $or the program itsel$% &owe'er( with
hi*ac!ing that is not necessary as all that0s re7uired is
$or the user to execute the program $rom a location
where the attac!er0s )LL is% It0s all well and good
saying that the user needs to ha'e the )LL already on
their computer in order $or it to /e used against the
target( howe'er it doesn0t seem 'ery simple% 1his is
where Social ?ngineering can come in handy% 2elow
are two examples o$ how an attac!er could use )LL
&i*ac!ing on a target:
.% An attac!er $inds a 'ulnera/ility in a text $ile
'iewer% 1he attac!er creates an archi'e $ile
with /oth a text $ile( and a malicious )LL% A
'ictim downloads the archi'e and opens the
text $ile directly $rom the archi'e itsel$% 1he
archi'e program extracts /oth $iles to a
location and opens the text $ile with the
de$ault text $ile reader 6in this case( the
'ulnera/le program9% 1he program searches
$or the )LL and $irst chec!s $or it $rom where
the $ile was opened 6in this case( the
temporary location the archi'e program
extracted the $iles to9% It $inds the attac!er0s
)LL and uses the $unctions $rom that% 1he
malicious code is executed%
,% An attac!er $inds a 'ulnera/ility in an email
'iewer used /y the company they wor! $or% &e
uploads the malicious )LL( a $ew random
$iles( and an email $ile to a shared $older used
/y the people within the company% A 'ictim
opens the email $ile and the email reader uses
the malicious )LL $ile instead o$ the intended
one which could /e located in the Windows
)irectory% 1he malicious code is executed%
/. De&ending against DLL Hijacking
1he most important part o$ explaining a
'ulnera/ility is explaining how to de$end against it%
1he responsi/ility o$ protecting the users $alls to the
de'elopers o$ so$tware themsel'es% Since this has
/rought a lot o$ attention towards the Windows Search
Order( de'elopers should learn to rely less upon the
Operating System itsel$ $or support% As is the case with
)LL &i*ac!ing( the $ull path to the li/rary needs to /e
speci$ied in order to a'oid this pro/lem entirely% 1he
alternati'e to this is to mo'e the )LL $iles to a place
that is chec!ed earlier in the search order( howe'er I
mysel$ do not recommend this option 3,4% 8et another
alternati'e is to create a chec!sum hash o$ the )LL and
store it within the program itsel$ so that on execution(
when a )LL is $ound( it0s chec!sum hash 'alue must
match the hash stored in the program% 1his can /e
impro'ed /y using a strong hashing algorithm
alongside a salt or /y using pu/lic and pri'ate !eys in
the program to encrypt the chec!sum outside the
program and decrypt it within it% 1he users themsel'es
also ha'e the a/ility to protect themsel'es /y ta!ing
certain precautions% 1he user can ensure that the $iles
they are opening are not in the same directory as a )LL
that may seem suspicious% <or example( i$ a )LL
comes with a picture you0'e downloaded( it0s a good
idea to remo'e the )LL /e$ore opening the picture%
Bsers also ha'e the a/ility to alter the registry !ey
/%D,llegal,nDll&earch 3A4% Bsers can set two
di$$erent registry !eys themsel'es:
HD8EBL'/#LB-#/H,)82&E&T8-2/urrent
/ontrol&et2/ontrol2&ession
-anager2/%D,llegal,nDll&earch
HD8EBL'/#LB-#/H,)82&oftware2-icroso
ft2%indows )T2/urrent?ersion2,mage 3ile
8xecution
'ptions2binaryname.exe2/%D,llegal,nDll&ea
rch
&ope$ully this has allowed you to understand )LL
&i*ac!ing and the algorithm used /y the Windows
Operating System% 1he more de'elopers that are aware
o$ this pro/lem( the less li!ely it is that they will rely
solely on the Operating System to handle processes
such as this%
10. 1e&erences
3.4 Microso$t Security 1ech=enter( Microso$t Security
Ad'isory 6,,>M>A9( http$FFtechnet.microsoft.comFen!
usFsecurityFadvisoryF<<G=G6@
3,4 Swiat( More in$ormation a/out the )LL preloading
remote attac! 'ector( 1echnet( August ,Ard ,-.-
http$FFblogs.technet.comFbFsrdFarchiveF<474F4;F<6Fmore!
information!about!dll!preloading!remote!attack!vector.aspx
3A4 Microso$t Support( A new =W)IllegalIn)llSearch
registry entry is a'aila/le to control the )LL search path
algorithm( http$FFsupport.microsoft.comFkbF<<G574@