CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Vulnerability Note VN-2010-19

Insecure DLL Loading by Windows Applications leads to Remote code execution

Original Issue Date: August 24, 2010

Severity Rating: Medium

Overview

A binary-planting vulnerability has been reported in undisclosed Windows applications that allows remote attacker to execute arbitrary code in the contest of the logged-in user.

Description

This issue is caused wherein applications passing an insufficiently qualified path (specific insecure programming practices) when loading an external library. This leads Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order during runtime. Dynamic loading can be hijacked by placing a malicious file with a specified file in a directory searched before resolving the target component so-called "binary planting" or "DLL preloading attacks.

As a result of an incorrect dynamic link library loading an attacker can cause malicious DLL to be loaded and executed from local drives, remote SMB or WebDAV shares as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.

Workarounds

Disable loading of libraries from WebDAV and remote network
Disable the WebClient service.
Block TCP ports 139 and 445 at the firewall.
Microsoft has issued a tool to allow administrators to alter the library loading behavior on a system-wide basis or for specific applications. The tool is available at:
http://support.microsoft.com/kb/2264107
Users can consider the best practices against DLL preloading attacks described here

For detailed steps and impact of applying these workarounds refer to Microsoft Security Advisory 2269637.

Note: The vulnerability is not in the Windows operating system itself rather some applications that run on Microsoft Windows.

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/advisory/2286198.mspx

References

Microsoft
http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2269637-released.aspx http://blogs.msdn.com/b/david_leblanc/archive/2008/02/20/dll-preloading-attacks.aspx
http://support.microsoft.com/kb/2264107 http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx

Security Tracker
http://securitytracker.com/alerts/2010/Aug/1024355.html

ISC-SANS
http://isc.sans.edu/diary.html?storyid=9445

ACROSS Security
http://acrossecurity.blogspot.com/2010/08/binary-planting- update-day-6.html

FORTINET
http://blog.fortinet.com/dll-pre-loading-research-the-pre-release/

The Register
http://www.theregister.co.uk/2010/08/18/windows_code_execution _vuln/

CVE Name
CVE-2010-2217
CVE-2010-2218
CVE-2010-2219
CVE-2010-2220