Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability

From: Dan Kaminsky <dan () doxpara com>
Date: Fri, 10 Sep 2010 14:08:14 -0400
On Fri, Sep 10, 2010 at 11:46 AM, Nikhil Mittal
<nikhil_uitrgpv () yahoo co in> wrote:



Here's my definition



Exploitable vulnerability = vulnerabilityn't t
Non-exploitable "vulnerability" = mental masturbation


Nice definition. I would like to add one more line for my definition

Inability to recognize a straight forward vulnerability = mentally handicap


OK, lets go over this again.

Nikhil, Simple DLL Hijacking is quite possibly the least
straightforward potentially exploitable condition *of all time*.  We
may look back on this characteristic as the thing that finally proved
the legitimacy of Cross Site Scripting attacks -- compared to Simple
DLL Hijacking, XSS is practically a stack smash.  Simple DLL
Hijacking's problem is as follows:

a) The presumed preconditions for an attack are extensive and expensive
b) An attacker who met those preconditions, would not be stopped by
the proposed defenses

Regarding a, we're seeing lots of PDF 0-day floating around.  Why?
Because it's pretty cheap to get somebody to parse a PDF:  <iframe
src='foo.pdf'> and you're done.  Getting someone to go through all the
steps with SDH?  Too complicated.

That being said, there are scenarios.  Matt @ AttackVector probably
found the best one right now -- a worm drops DLLs into a shared
document folder, and anyone who opens the docs gets hit.  And of
course, multiple people have figured out that SDH causes problems for
Autorun defenses, because a document read (not copied) directly off a
thumbdrive will presently launch code.

Even if you grant these are legitimate vectors, these are vectors
bouncing off Office's presumed type safety -- not WinImageView
3.4.8's.  And they're not even close to straightforward.

The core problem though is that Explorer itself doesn't strongly
enforce type safety.  I can't emphasize enough, you just don't have
enough context when you double click an item in a browser, that it's
not actually an .exe.  People keep pretending you do have this
context, and it's simply untrue.  Look at it this way:  If it was as
easy to execute arbitrary code from a web page, as it was from a
Explorer Shell Window to \\attacker.com\foo, we'd be up in arms.

So essentially, what you find is that the very concept of browsing
remote shares and USB sticks you don't trust, is unsafe.  This creates
the astonishing situation where Sharepoint becomes a security
technology!

You might notice that I keep referring to all this as Simple DLL
Hijacking.  It's likely that DLL Hijacking will actually be a critical
component of a genuine attack vector.  It's just not, yet.  The
journey of a thousand miles has been declared complete with a single
step.  So we're on the cusp of some huge portion of advisories coming
from the security community being little more than "random Windows app
runs DLLs from CWD".

Frankly, I think we can find better bugs.  I think we'd better.  Just
like bad money drives out good money, bad bugs drive out good bugs.
The credibility of advisories, and even the usefulness of FD, is
somewhat at risk.

--Dan

P.S.  Maybe there should be a new list -- full-disclosure-sdh -- for
this discussion?  I can't be the only one wondering how enormous this
thread has to get.  Yeah, yeah, I know.  I'm dreaming.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: