Re: [Full-disclosure] Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability



On Fri, Sep 10, 2010 at 11:46 AM, Nikhil Mittal
<nikhil_uitrgpv@xxxxxxxxxxx> wrote:

Here's my definition

Exploitable vulnerability = vulnerabilityn't t
Non-exploitable "vulnerability" = mental masturbation

Nice definition. I would like to add one more line for my definition

Inability to recognize a straight forward vulnerability = mentally handicap

OK, lets go over this again.

Nikhil, Simple DLL Hijacking is quite possibly the least
straightforward potentially exploitable condition *of all time*.  We
may look back on this characteristic as the thing that finally proved
the legitimacy of Cross Site Scripting attacks -- compared to Simple
DLL Hijacking, XSS is practically a stack smash.  Simple DLL
Hijacking's problem is as follows:

a) The presumed preconditions for an attack are extensive and expensive
b) An attacker who met those preconditions, would not be stopped by
the proposed defenses

Regarding a, we're seeing lots of PDF 0-day floating around.  Why?
Because it's pretty cheap to get somebody to parse a PDF:  <iframe
src='foo.pdf'> and you're done. Getting someone to go through all the
steps with SDH? Too complicated.

That being said, there are scenarios. Matt @ AttackVector probably
found the best one right now -- a worm drops DLLs into a shared
document folder, and anyone who opens the docs gets hit. And of
course, multiple people have figured out that SDH causes problems for
Autorun defenses, because a document read (not copied) directly off a
thumbdrive will presently launch code.

Even if you grant these are legitimate vectors, these are vectors
bouncing off Office's presumed type safety -- not WinImageView
3.4.8's. And they're not even close to straightforward.

The core problem though is that Explorer itself doesn't strongly
enforce type safety. I can't emphasize enough, you just don't have
enough context when you double click an item in a browser, that it's
not actually an .exe. People keep pretending you do have this
context, and it's simply untrue. Look at it this way: If it was as
easy to execute arbitrary code from a web page, as it was from a
Explorer Shell Window to \\attacker.com\foo, we'd be up in arms.

So essentially, what you find is that the very concept of browsing
remote shares and USB sticks you don't trust, is unsafe. This creates
the astonishing situation where Sharepoint becomes a security
technology!

You might notice that I keep referring to all this as Simple DLL
Hijacking. It's likely that DLL Hijacking will actually be a critical
component of a genuine attack vector. It's just not, yet. The
journey of a thousand miles has been declared complete with a single
step. So we're on the cusp of some huge portion of advisories coming
from the security community being little more than "random Windows app
runs DLLs from CWD".

Frankly, I think we can find better bugs. I think we'd better. Just
like bad money drives out good money, bad bugs drive out good bugs.
The credibility of advisories, and even the usefulness of FD, is
somewhat at risk.

--Dan

P.S. Maybe there should be a new list -- full-disclosure-sdh -- for
this discussion? I can't be the only one wondering how enormous this
thread has to get. Yeah, yeah, I know. I'm dreaming.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • yyzvxGINA.dll?
    ... DLL for Windows. ... few days hundreds of attempted but failed logins using the typical ... attack that people are familiar with? ... time frame, although I'm assuming that information is not completely ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: [Full-disclosure] Microsofts Binary Planting Clean-Up Mission
    ... knowingly or unknowingly loads the "malicious" DLL - the application will be ... engineering attack - absolutely nothing more. ... DLL on a local machine so that a chosen application will load it (i.e., ... Subject: Microsoft's Binary Planting ...
    (Full-Disclosure)
  • Re: Paint a bitmap behind normal VB6 menu when dropped down
    ... That gives me a really nice look for very little coding. ... And the .dll ... vbAccelerator has good approaches, but there are some serious bugs in almost all his codes. ...
    (microsoft.public.vb.general.discussion)
  • Re: French Version Issues
    ... Are there any other issues regarding bugs ... related to this DLL and are they listed anywhere on the web? ... > I confirm this is a bug when using French DLL. ... When I manually register the VFP DLL file for French, ...
    (microsoft.public.fox.programmer.exchange)
  • Re: D2007 - Type Library Editor Improvements? - UPDATE
    ... The DLL still compiles and appears to work with ArcGIS, other than some bugs I'm trying to work out. ...
    (borland.public.delphi.non-technical)