http://msdn.microsoft.com/en-us/library/ms682583(v=vs.85).aspx
http://blogs.technet.com/
http://www.nruns.com/_downloads/23C3-Berlin-Bluetooth-Hacking-Revisited-Thierry-Zoller.pdf
http://blog.zoller.lu/2011/08/tools-whitepapers-talks.html?m=1
https://www.metasploit.com/redmine/projects/framework/repository/raw/external/source/DLLHijackAuditKit.zip
http://msdn.microsoft.com/en-us/library/hh310514(v=vs.85).aspx
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
CVE-2010-x+n - Loadlibrary/Getprocaddress roars its evil head in 2010
Subscribe to the RSS feed in case you are interested in
updatesAfter Acrossecurity, published an interesting vulnerability
and HDmoore appears to have stumbled on the same issue, I decided to
investigate on my own. I am not 100% sure it's the same bug but I am pretty
confident.
While it is known since years and Microsoft even dedicates a KB article to
it, vendors appear to still have issues with using
Loadlibrary/Getprocadress correctly.Above does not show vulnerable examples
(i.e the dll is not effectively loaded)This issue appears to have been
first discovered by Georgi Guninski (who else) in 2000, so it is not a new
weakness and defensive mechanisms have been introduced into development
languages as well as windows itself to mitigate this risk (if properly
used)If
I will find more time this week I'll publish more details and backround as
to introduce counter measures and checks into your hopefully mature
Development Lifecycle.In summary :If loadlibrary is not called correctly
AND/OR DLL Search path is not hardened opening a file located on a share
will lead to DLL files being located on the share and code being executed
that is within that DLL.
Above is an example of Photoshop.Until then know that this issue can be
mitigated by deploying proper GPO policies that disables searching for DLLs
on UNC paths (Documented in
http://support.microsoft.com/kb/2264107)Development Best practises that can
protect against this weakness/vulnerability :Do not use the SearchPath
function to retrieve a path to a DLL for a subsequent LoadLibrary call.
Why : http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspxMore to
follow in the following daysTools to detect said bug class :DLL Hijacking
Audit Tool v2 by Rapid7/HDmoore and Blog post (Recommended read)Rapid7 Blog
post (Interesting backround
information)Procmon (Sysinsternals)Filemon (Sysinsternals)Mitigate this
particular attack vector through GPO policies:
http://support.microsoft.com/kb/2264107More information from the SRD
Team (recommended read)More information :
Paper by Taeho Kwon and Taeho Kwon entitled Automatic Detection of
Vulnerable Dynamic Component LoadingsDLL preloading Microsoft Security
Response Center blog Official security AdvisoryExpect a lot of applications
vulnerable to this bug and my title CVE-2010-x+n probably makes sense by
now. Another low hanging fruit to watch out for.Thierry Zoller
●●●●●●●●●●●●●●●●●●●●●●●●●
LoadLibrary function
53 out of 116 rated this helpful - Rate this topicLoads the specified
module into the address space of the calling process. The specified module
may cause other modules to be loaded.For additional load options, use
the LoadLibraryEx function.
Syntax
C++ HMODULE WINAPI LoadLibrary( _In_ LPCTSTR lpFileName );
Parameters
lpFileName [in]The name of the module. This can be either a library module
(a .dll file) or an executable module (an .exe file). The name specified is
the file name of the module and is not related to the name stored in the
library module itself, as specified by the LIBRARY keyword in the
module-definition (.def) file.
If the string specifies a full path, the function searches only that path
for the module.If the string specifies a relative path or a module name
without a path, the function uses a standard search strategy to find the
module; for more information, see the Remarks.If the function cannot find
the module, the function fails.
When specifying a path, be sure to use backslashes (\), not forward slashes
(/). For more information about paths, see Naming a File or Directory.If
the string specifies a module name without a path and the file name
extension is omitted, the function appends the default library extension
.dll to the module name. To prevent the function from appending .dll to the
module name, include a trailing point character (.) in the module name
string.
Return value
If the function succeeds, the return value is a handle to the module.If the
function fails, the return value is NULL. To get extended error
information, call GetLastError.
Remarks
To enable or disable error messages displayed by the loader during DLL
loads, use the SetErrorMode function.LoadLibrary can be used to load a
library module into the address space of the process and return a handle
that can be used in GetProcAddress to get the address of a DLL
function. LoadLibrary can also be used to load other executable modules.
For example, the function can specify an .exe file to get a handle that can
be used in FindResource or LoadResource. However, do not use LoadLibrary to
run an .exe file. Instead, use the CreateProcess function.If the specified
module is a DLL that is not already loaded for the calling process, the
system calls the DLL's DllMain function with theDLL_PROCESS_ATTACH value.
If DllMain returns TRUE, LoadLibrary returns a handle to the module.
If DllMain returns FALSE, the system unloads the DLL from the process
address space and LoadLibrary returns NULL. It is not safe to
call LoadLibrary from DllMain. For more information, see the Remarks
section in DllMain.Module handles are not global or inheritable. A call
to LoadLibrary by one process does not produce a handle that another
process can use — for example, in calling GetProcAddress. The other process
must make its own call to LoadLibrary for the module before
calling GetProcAddress.If lpFileName does not include a path and there is
more than one loaded module with the same base name and extension, the
function returns a handle to the module that was loaded first.If no file
name extension is specified in the lpFileName parameter, the default
library extension .dll is appended. However, the file name string can
include a trailing point character (.) to indicate that the module name has
no extension. When no path is specified, the function searches for loaded
modules whose base name matches the base name of the module to be loaded.
If the name matches, the load succeeds. Otherwise, the function searches
for the file.The first directory searched is the directory containing the
image file used to create the calling process (for more information, see
theCreateProcess function). Doing this allows private dynamic-link library
(DLL) files associated with a process to be found without adding the
process's installed directory to the PATH environment variable. If a
relative path is specified, the entire relative path is appended to every
token in the DLL search path list. To load a module from a relative path
without searching any other path, use GetFullPathName to get a nonrelative
path and call LoadLibrary with the nonrelative path. For more information
on the DLL search order, see Dynamic-Link Library Search Order.The search
path can be altered using the SetDllDirectory function. This solution is
recommended instead of using SetCurrentDirectory or hard-coding the full
path to the DLL.If a path is specified and there is a redirection file for
the application, the function searches for the module in the application's
directory. If the module exists in the application's
directory, LoadLibrary ignores the specified path and loads the module from
the application's directory. If the module does not exist in the
application's directory, LoadLibrary loads the module from the specified
directory. For more information, see Dynamic Link Library Redirection.If
you call LoadLibrary with the name of an assembly without a path
specification and the assembly is listed in the system compatible manifest,
the call is automatically redirected to the side-by-side assembly.The
system maintains a per-process reference count on all loaded modules.
Calling LoadLibrary increments the reference count. Calling
the FreeLibrary or FreeLibraryAndExitThread function decrements the
reference count. The system unloads a module when its reference count
reaches zero or when the process terminates (regardless of the reference
count).Windows Server 2003 and Windows XP: The Visual C++ compiler
supports a syntax that enables you to declare thread-local
variables: _declspec(thread). If you use this syntax in a DLL, you will not
be able to load the DLL explicitly using LoadLibrary on versions of Windows
prior to Windows Vista. If your DLL will be loaded explicitly, you must use
the thread local storage functions instead of _declspec(thread). For an
example, see Using Thread Local Storage in a Dynamic Link Library.
Security Remarks
Do not use the SearchPath function to retrieve a path to a DLL for a
subsequent LoadLibrary call. The SearchPath function uses a different
search order than LoadLibrary and it does not use safe process search mode
unless this is explicitly enabled by
calling SetSearchPathMode withBASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE.
Therefore, SearchPath is likely to first search the user's current working
directory for the specified DLL. If an attacker has copied a malicious
version of a DLL into the current working directory, the path retrieved
by SearchPath will point to the malicious DLL, which LoadLibrary will then
load.Do not make assumptions about the operating system version based on
a LoadLibrary call that searches for a DLL. If the application is running
in an environment where the DLL is legitimately not present but a malicious
version of the DLL is in the search path, the malicious version of the DLL
may be loaded. Instead, use the recommended techniques described in Getting
the System Version.
Examples
For an example, see Using Run-Time Dynamic Linking.
Requirements
Minimum supported clientWindows XP [desktop apps only]Minimum supported
serverWindows Server 2003 [desktop apps only]HeaderWinbase.h (include
Windows.h)LibraryKernel32.libDLLKernel32.dllUnicode and ANSI
namesLoadLibraryW (Unicode) and LoadLibraryA (ANSI)
See also
DllMainDynamic-Link Library
FunctionsFindResourceFreeLibraryGetProcAddressGetSystemDirectoryGetWindowsDirectoryLoadLibraryExLoadResourceRun-Time
Dynamic LinkingSetDllDirectorySetErrorMode
RemoveDllDirectory function
This topic has not yet been rated - Rate this topicRemoves a directory that
was added to the process DLL search path by using AddDllDirectory.
Syntax
C++ BOOL WINAPI RemoveDllDirectory( _In_ DLL_DIRECTORY_COOKIE Cookie );
Parameters
Cookie [in]The cookie returned by AddDllDirectory when the directory was
added to the search path.
Return value
If the function succeeds, the return value is nonzero.If the function
fails, the return value is zero. To get extended error information,
call GetLastError.
Remarks
After RemoveDllDirectory returns, the cookie is no longer valid and should
not be used.Windows 7, Windows Server 2008 R2, Windows Vista, and Windows
Server 2008: To call this function in an application, use
the GetProcAddress function to retrieve its address from
Kernel32.dll. KB2533623 must be installed on the target platform.
Requirements
Minimum supported clientWindows 8 [desktop apps only]Minimum supported
serverWindows Server 2012 [desktop apps only]VersionKB2533623 on Windows 7,
Windows Server 2008 R2, Windows Vista, and Windows
Server 2008HeaderLibLoaderAPI.h (include Windows.h);None on Windows 7,
Windows Server 2008 R2, Windows Vista, and Windows
Server 2008DLLKernel32.dll
DisableThreadLibraryCalls function
8 out of 8 rated this helpful - Rate this topicDisables the
DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the specified
dynamic-link library (DLL). This can reduce the size of the working set for
some applications.
Syntax
C++ BOOL WINAPI DisableThreadLibraryCalls( _In_ HMODULE hModule );
Parameters
hModule [in]A handle to the DLL module for which the DLL_THREAD_ATTACH and
DLL_THREAD_DETACH notifications are to be disabled.
TheLoadLibrary, LoadLibraryEx, or GetModuleHandle function returns this
handle. Note that you cannot call GetModuleHandle with NULL because this
returns the base address of the executable image, not the DLL image.
Return value
If the function succeeds, the return value is nonzero.If the function
fails, the return value is zero. The DisableThreadLibraryCalls function
fails if the DLL specified by hModule has active static thread local
storage, or if hModule is an invalid module handle. To get extended error
information, call GetLastError.
Remarks
The DisableThreadLibraryCalls function lets a DLL disable the
DLL_THREAD_ATTACH and DLL_THREAD_DETACH notification calls. This can be a
useful optimization for multithreaded applications that have many DLLs,
frequently create and delete threads, and whose DLLs do not need these
thread-level notifications of attachment/detachment. A remote procedure
call (RPC) server application is an example of such an application. In
these sorts of applications, DLL initialization routines often remain in
memory to service DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications. By
disabling the notifications, the DLL initialization code is not paged in
because a thread is created or deleted, thus reducing the size of the
application's working code set. To implement the optimization, modify a
DLL's DLL_PROCESS_ATTACH code to callDisableThreadLibraryCalls.Do not call
this function from a DLL that is linked to the static C run-time library
(CRT). The static CRT requires DLL_THREAD_ATTACH and DLL_THREAD_DETATCH
notifications to function properly.Windows Phone 8: This API is supported.
Requirements
Minimum supported clientWindows XP [desktop apps | Windows Store
apps]Minimum supported serverWindows Server 2003 [desktop apps | Windows
Store apps]HeaderWinbase.h (include
Windows.h)LibraryKernel32.libDLLKernel32.dll
See also
Dynamic-Link Library Entry-Point FunctionDynamic-Link Library
FunctionsFreeLibraryAndExitThread
★★★★★★☆☆☆☆☆☆★★★★★★☆☆☆☆☆☆★★★★
DN Blogs > David LeBlanc's Web Log > DLL Preloading Attacks
DLL Preloading Attacks
david_leblanc 20 Feb 2008 9:09 PM 2A DLL preloading attack is something
that can get you on a lot of different platforms. One of the first variants
I heard about was in an ancient telnet daemon on certain versions of UNIX
where you could specify environment variables, and one of the things you
could specify was where to look for libraries. Obviously, if you could get
the telnet daemon running as root to load your library, it was then your
system.A difference between UNIX-ish systems and systems based on DOS is
that the current directory "." is not on the search path for UNIX-ish
systems, and it is for DOS systems, which didn't have different users, so
there was no need to worry about some of these things. Originally, a
Windows system would look for DLLs using the same ordering that you'd look
for an executable – as documented in the SearchPath API:The directory from
which the application loaded. The current directory. The system directory.
Use the GetSystemDirectory function to get the path of this directory. The
16-bit system directory. There is no function that retrieves the path of
this directory, but it is searched. The Windows directory. Use the
GetWindowsDirectory function to get the path of this directory. The
directories that are listed in the PATH environment variable.The attack is
that you find some DLL an app needs, make an evil twin, and put it in the
same directory as a document, then lure someone who you'd like to have
running your code to open the document. This is obviously a problem, and
the advice we gave in Writing Secure Code (1&2) was to fully path the
library you wanted to access with LoadLibrary. This advice isn't always the
best, since if you weren't sure where you were installed, you might use
SearchPath to go find it, which looks in the current directory, and now you
have a problem again.What we did to fix it correctly was to make a setting
that moved the current directory into the search order immediately before
the path is searched, and after everything else. This took effect by
default in XP SP2, Win2k3 and later, and was available in Win2k SP4. For
the most part, this did get rid of the problem – if it was a DLL in the
operating system, that got searched well before the current directory and
all was good.Unfortunately, this isn't a complete fix in all cases – there
are some times that we'd like to test to see if a DLL is present, and then
do something special if it is. Even with the current directory moved to the
end of the search order, if it isn't there, we'll still look in the current
directory. So code that looks like this:hMod = LoadLibrary("Foo.dll"); //
check to see if Foo is presentWill be dangerous. You have a couple of good
options in dealing with this. If you never have a need to load a DLL from
the current directory, just call SetDllDirectory with an argument of "".
This is something I discovered by playing with the API, went and looked at
the code and found that it was an intended use of the function, logged a
bug, and now it's documented behavior you can depend on. If you can do
this, it's best – you don't have to put a lot of overhead around every
LoadLibrary call, and you're safe. The API is available in XP SP1 and
later, which is pretty safe as a minimum platform these days. A second
approach that would involve a bit of work on your part would be to
implement only the bits of SearchPath that you need. Here's what I'd
do:Search your app's directory – you can find this with GetModuleFileName
using NULL as the first parameter.Look in the system directory as aboveLook
in the Windows directory as aboveThere could be some wrinkles around
side-by-side DLL's, and I haven't looked closely at this aspect of the
problem – perhaps someone who has could comment. An option that I'd tend to
discourage would be to load the library with LOAD_LIBRARY_AS_DATAFILE as a
flag, then using GetModuleFileName to see if it is the one you wanted, or
checking somehow to see if it is the one you wanted using some form of
checksum. The first problem is that this is a lot of overhead, and the
second is that if there's a path to parse, odds are you'll do something
wrong and break when the format of the return changes, or you'll foul up
and make the wrong decision, since making decisions based on names is hard.
Checksums are easily defeated, and real cryptography is computationally
expensive.I've been meaning to write this for a while, as it's one of the
portions of Writing Secure Code that I'd like to update -
echNet Blogs > MSRC > Microsoft Security Advisory 2269637 ReleasedShare
Article1Connect to UsRSS for Posts@msftsecresponseSecurity NewsletterReport
a VulnerabilityTwC Blogs Windows Phone ApplicationGet on-the-go access to
the latest insights featured on our Trustworthy Computing blogs.Twitter
@msftsecresponse
Security Response
msftsecresponse
msftsecresponse Couldn't be there live? Q&A from yesterday's webcast
covering MS13-008 now posted at aka.ms/zylgj2 #MSFTSecWebcastyesterday
· reply · retweet · favoritemsftsecurity RT @HelpNetSecurity Looking
back at a year of #Microsoft patches. bit.ly/13xjSMO #InfoSecyesterday
· reply · retweet · favoritemsftsecresponse Join @jness &
@dustin_childsfor
a webcast discussing MS13-008 today at 1PM. Register at aka.ms/hdxbcu
#MSFTSecWebcast2
days ago · reply · retweet · favoritemsftsecresponse Time to apply
MS13-008, released today to address #Microsoft #SecurityAdvisory 2794220.
Details at aka.ms/gxv32y2 days ago · reply · retweet · favoriteJoin the
conversation
Microsoft Security Advisory 2269637 Released
MSRCTeam 21 Aug 2010 11:03 PMOverviewToday we released Microsoft Security
Advisory 2269637. This is different from other Microsoft Security
Advisories because it's not talking about specific vulnerabilities in
Microsoft products. Rather, this is our official guidance in response to
security research that has outlined a new, remote vector for a well-known
class of vulnerabilities, known as DLL preloading or "binary planting"
attacks. We are currently conducting a thorough investigation into how
this new vector may affect Microsoft products. As always, if we find this
issue affects any of our products, we will address them
appropriately.Additionally, today we are providing a defense-in-depth
update that customers can deploy that will help protect against attempts to
exploit vulnerable applications through this newly identified vector.
Finally, we are using our strong connections with researchers and partners
in the industry to help address this new class of vulnerability. Our
Microsoft Vulnerability Research program has been working to coordinate
communication between the researcher who first brought this new vector to
us and other application developers who are affected by this
issue.Technical BackgroundWhat this new research demonstrates is a new
remote vector for DLL preloading attacks. These attacks are not new or
unique to the Windows platform. For instance, PATH attacks that are similar
to this issue constitute some of the earliest class of attacks against the
UNIX operating system. The attack focuses on tricking an application into
loading a malicious library when it thinks it's loading a trusted library.
For this to succeed, the application has to call the trusted library by
name instead of properly using its full path (for example, calling
dllname.dll rather than C:\Program Files\Common Files\Contoso\dllname.dll).
The attacker then has to place a malicious copy of the library in a
directory that the system will search to locate the library and have that
be a directory it will search before the directory where the trusted
library actually is. For example, if an attacker knows that the application
simply calls for dllname.dll (rather than using the full path) and it will
look for dllname.dll in the current working directory before looking in
C:\Program Files\Common Files\Contoso\. Then if the attacker can plant a
malicious copy of dllname.dll in the current working directory, the
application will load it first executing the attacker's code in the
application's security context.PATH or DLL preloading attacks have so far
required the attacker to plant the malicious library on the local client
system. This new research outlines a way an attacker could levy these
attacks by planting the malicious library on a network share. In this
scenario, the attacker would create a data file that the vulnerable
application would open, create a malicious library that the vulnerable
application would use, post both of them on a network share that the user
could access, and convince the user to open the data file. At that point,
the application would load the malicious library and the attacker's code
would execute on the user's system.Because this is a new vector, rather
than a new class of vulnerability, the existing best practices that protect
against this class of vulnerability, automatically protect against this new
vector: ensuring that applications make calls to trusted libraries using
full path names.While the best protection is following best practices, we
are able to provide an additional layer of defense by offering a tool that
can be configured to disable the loading of libraries from network shares.
In particular, because this is altering functionality, we encourage
customers to evaluate this tool before deploying it. As part of your
evaluation, we encourage you to review the information at the Security
Research and Defense (SRD) blog.We will continue our work with the
researchers and the industry to identify and address vulnerable
applications. And as always, we will update you with any new information we
have through our security advisories, security bulletins and the MSRC
weblog as appropriate
an we load library with lower privilege level ?
As LoadLibrary call loads the dll with equal privilage as of caller
process. For example if process from admin rights loads the dll, the dll
gets the access right of admin level.So is there any way so that one can
load dll by providing it a lower privilege level.Taj_Sengar9/28/2011
good to use SetSearchPathMode() even if you don't use SearchPath()
Some Windows APIs follow the "do not use" practice of using SearchPath()
and passing the result to LoadLibrary() (e.g., CryptAcquireContext() on XP,
or ExtractIconEx() on XP through Win7) so you may want to call
SetSearchPathMode() to avoid this potential source of issue even if your
own code avoids this behavior.md128/23/2011
PATH Environment Variable
It might also be a good idea to remove the PATH-Environment-Variable from
the process:SetEnvironmentVariable(TEXT("PATH"),NULL);geeky
☆☆☆☆☆☆☆♡♡♡♡♡♡☆☆☆☆☆☆♡♡♡♡♡♡♡♡♡♡♡☆☆☆☆☆☆☆
♥♥♥♥♡♡♡♡☆☆☆☆☆★★★★★★☆♡♡♡♡♡☆☆☆♥♥♥♥♥♥♥♥
☆☆☆☆☆★★★★★★☆☆☆☆☆☆★★★★☆★☆☆☆☆☆☆☆
supreme clothing
ReplyDeletecurry 7
nike air vapormax
off white clothing
air jordans
michael kors
nike air max 90
adidas gazelle
bape hoodie
mbt