MA-247.082010 : MyCERT Alert – Insecure Library Loading Could Allow Remote Code Execution Date of publication: 2010-08-26 1.0 Introduction A critical vulnerability has been identified in the method several applications that load external libraries. The vulnerability, if successfully exploited could potentially allow an attacker to take control of the affected system.
2.0 Technical Details This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. When an application loads a DLL without specifying a fully qualified path name, Windows will attempt to locate the DLL by searching a defined set of directories. The exploit scenario most likely to occur involves an attacker convincing the victim to open a file hosted on an attacker-controlled SMB or WebDAV share. The file itself would not necessarily be malicious or malformed. The key is that the file is loaded from a location where an attacker can also place a malicious DLL with the same name as a DLL the vulnerable application loads.
3.0 Impact An attacker who successfully exploits this vulnerability will be able to execute codes remotely and take control of the affected system.
4.0 Affected Products Microsoft and several other vendors are currently investigating whether any of their applications are affected by insecure library loading vulnerabilities.
5.0 Recommendations Below are temporary workarounds for this vulnerability: 5.1 Disable loading of libraries from WebDAV and remote network shares Microsoft has released a tool that allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis. This tool introduces a new registry key CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The DLL search path algorithm is used by the LoadLibrary API and the LoadLibraryEx API when DLLs are loaded without specifying a fully qualified path. The tool and full instruction can be found at the following URL: http://support.microsoft.com/kb/2264107 5.2 It is also recommended to disable the WebClient service and blockTCP ports 139 and 445 at the firewall.
However, these workarounds may reduce the functionality of the affected systems. To apply the workarounds mentioned, please refer to the following URL: http://www.microsoft.com/technet/security/advisory/2269637.mspx#EVF 5.3 Do not browse to untrusted websites or click on untrusted links especially URLs enclosed in e-mails from an unknown sender. 5.4 Browse the Internet through access of a lower privilege user to minimize the impact of malicious files.
MyCERT would like to advise the users of Microsoft Windows to be vigilant of the latest security announcements by Microsoft and other vendors and ensure that their operating systems and applications are up-to-date. MyCERT also recommend users to enable auto update for Microsoft Windows. The article on how to enable the auto update feature in Microsoft is available at the following URL:
http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated: http://secunia.com/vulnerability_scanning/personal/ MyCERT can be reached through the following channels for further assistance:
E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my
6.0 References |
