-1

Seems to be kernel32.dll doesn't use a fully qualified path to some DLLs which it loads and that's why they can be loaded from application directory(the directory from which the application loaded). For example, these DLLs are: fltlib.dll, version.dll, dbghelp.dll

It's really dangerous and this is a security issue, because there are no any possibilities for app to make control over this loading. Delay loading Kernel32.dll is not supported, so we can't use SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) because all happens before user code! SetDllDirectory("") also useless and moreover it excludes only current directory not application directory. CWDIllegalInDllSearch doesn't help because it also exclude only only current directory not application directory.

So, this info:

  1. https://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx

  2. http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

is USELESS! It doesn't give any practise answers how to protect an application from this DLL preloading attack.

Of course you can say that all programs are in "Program Files" directory and only administrators can write to these directories. But not all apps are in "Program Files" directory. Besides all know that very often users have administrator accounts and that's why it's very simple to install one of these malware DLL silently to some application's directory and get a silent control over ANY application, because this malware DLL can emulate(read use real functions from real DLLs) all system API functions from real DLL to the application, so application never know that it uses malware DLL! Besides in this way malware DLL can bypass FIREWALL! For example if you copy some of malware DLL to the browser directory(it can be anything: Internet Explorer, FireFox, Chrome or any other) some malware code will be act as browser, which already have an allowing rule in the firewall settings, usually outgoing connections to ports 80,443,53. It's really a potential hole for leaks!

Of course it's possible to make post-loading checks and if found such malware DLLs unload them and delete. But it's bad decision because if malware DLL already loaded to the application address space it can do anything what it wants and that's why unloading and deleting it after it already loaded can be useless!

These DLLs are absent here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs But a recomendation to add them to this registry entry is not a good idea for end user. Besides, how many of them can be? I don't know.

Decision: Just DISABLE loading system DLLs from others paths except system paths (with %windir% prefix). So just enable loading system DLLs from paths, where they are located (%windir%\system32, %windir%\syswow64, %windir%\winsxs and so on). It's really strangely why the main system library (like kernel32.dll) loads system libraries which it uses from application directory where it can't be by definition! All system DLLs must be loaded only from paths with prefix %windir% or some other system paths, but not from application directory path, not from current directory path, not even from the paths that are listed in the PATH environment variable.

Steps to reproduce: First way(simple, just to see what paths will be for loaded DLLs ). 1. Put any from these DLLs: fltlib.dll, version.dll, dbghelp.dll to the application directory for ANY application (Internet Explorer or Windows Live Mail or any else) 2. See what paths have these loaded DLLs

Second way. 1. Make your own DLLs with the names: fltlib.dll, version.dll, dbghelp.dll And add your own code to DLL_PROCESS_ATTACH It's really simple. If app will call some functions from these DLLs you can emulate real API functions and do some your code! 2. Put any from these DLLs to the application directory for ANY application (Internet Explorer or Windows Live Mail or any else) 3. See what happens ))

I can give you an example of such DLL. It's work! I just simply show some message instead of some malware code.

How to make Microsoft solve this issue?

I tried here: сonnect.microsoft.com/VisualStudio/feedback/details/1139089 But yet the silence...

VRBV
  • 21
  • 2
  • I tried here: https://connect.microsoft.com/VisualStudio/feedback/details/1139089 But yet the silence... – VRBV Feb 20 '15 at 17:14
  • What is your question? – Harry Johnston Feb 21 '15 at 02:30
  • @harryj How to make Microsoft solve this issue? – VRBV Feb 21 '15 at 06:48
  • OK, that's not on topic here. Voting to close. (You could try Microsoft's forums, though realistically you're never going to convince Microsoft that this is really a security bug.) – Harry Johnston Feb 21 '15 at 21:46
  • Note that if the attacker is an administrator there are lots of other ways they can inject bad code into your application - they could install a compatibility fix, for example, instructing Windows to load their DLL whenever your application is run. Or install a system service. Or a user mode device driver. Or any one of dozens of other ways. There really are too many possible attacks in this scenario to eliminate them all. Also, if your application is not in Program Files, then it is your responsibility (or the sysadmins) to make sure that the directory has proper permissions. – Harry Johnston Feb 21 '15 at 21:51

1 Answers1

2

If they can write to your application directory, they already own your system. Why worry about them writing a malicious version of dbghelp.dll, when they can just overwrite a malicious version of your main application.

In other-words, if you've given someone that level of control, there are easier ways for them to do malicious things.

josh poley
  • 7,236
  • 1
  • 25
  • 25
  • _> they can just overwrite a malicious version of your main application._ Even if it will be digitally signed? :)) The key word is "silently" for application and user, and also "easy" to exploit this vulnerability. And the main you didn't see: why the main system library (like kernel32.dll) loads system libraries which it uses from application directory where it can't be by definition? – VRBV Feb 20 '15 at 17:54
  • Windows does not require executables to be digitally signed, so if someone maliciously overwrites or modifies the application's executable, you will not be warned about it when you run the application. The rule is that everything in the application's directory is trusted. – Harry Johnston Feb 21 '15 at 02:33
  • However, the system administrator can, if he or she wishes, implement a whitelist via Software Restriction Policy. – Harry Johnston Feb 21 '15 at 02:34
  • @harryj _Windows does not require executables to be digitally signed, so if someone maliciously overwrites or modifies the application's executable, you will not be warned about it when you run the application._ I will know about this. If I make verification in digitaly signed EXE-file. And also end user can manually check if my app has digital signature or not. _The rule is that everything in the application's directory is trusted._ **It's very bad rule!** – VRBV Feb 21 '15 at 06:46
  • @harryj _everything ... is trusted_ sounds bad and short-sighted! But the question not in that, it is: **why Microsoft lets kernel32.dll to load system libraries which it uses from application directory where it can't be by definition?** – VRBV Feb 21 '15 at 06:56