DLL Hijacking

DLL hijacking vulnerabilities – [sans.edu]

For the last couple of days there have been a lot of discussions about a vulnerability published by a Slovenian security company ACROS. HD Moore (of Metasploit fame) also independently found hundreds of vulnerable applications and, as he said, the cat is now really out of the bag.

In order to see what is going here we first have to understand how modern applications are built. Modern applications come modularized with multiple DLLs (Dynamic Link Libraries). This allows the programmer to use functions available in other DLLs on the system – Windows has hundreds of them. Now, if a DLL is not available on the system, the developer can decide to pack it with the main application’s executable and store it, for example, in the applications directory.

Microsoft won’t patch critical DLL loading bugs – [networkworld.com]

Microsoft’s decision won’t come as a surprise to the researchers who have publicized the problem.

Last week, for example, Moore said it was unlikely Microsoft could come up with a fix. “There may be work-arounds available, but the core issue is with the application itself, not Windows,” he said at the time. “There may be fixes that can be applied at the OS level, but these are likely to break existing applications.”

Demo of the Microsoft DLL Hijacking Exploit – [threatpost.com]

In this video, the folks at Offensive Security demonstrated exactly how the Windows DLL-hijacking vulnerability can exploited using Metasploit and a benign PowerPoint slide.

Exploiting DLL Hijacking Flaws – [metasploit.com]

This post describes the process for identifying and exploiting applications vulnerable to the DLL hijack vulnerability disclosed last week. For background information on this vulnerability, as well as remediation information, please see my post on the Rapid7 Blog.

Better, Faster, Stronger: DLLHijackAuditKit v2 – [metasploit.com]

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications.

DLL Hijacking: Facts and Fiction – [threatpost.com]

DLL hijacking simply isn’t the same as a typical zero-day vulnerability. The technical details of the attack have been covered in depth elsewhere, so I won’t go into them here, but technical details without context can lead to exaggerated conclusions. Let’s take a step back and look at this in the context of history and fact…

Comments are closed.