Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com) 162
An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.
What's a DLL? (Score:2, Funny)
Re:What's a DLL? (Score:4, Informative)
Dynamic linked library
Re: (Score:3)
"Windows Dynamic Linked Library" in this case... not seeing a single mention of Linux or OSX in there.
(Yes, there are equivalents in Linux and OSX, but no indication of the vuln in shared libs, dylibs, or dynamic shared libs, so...)
Re:What's a DLL? (Score:5, Informative)
Dynamic Link Library. Typically a shared resource that can be dynamically loaded and unloaded when needed, and often shared among programs.
The problem with DLLs are that there are many versions of the same DLL that often need to run at the same time. Which means that you can substitute one version for another, and hijack a program. Nothing new here.
Re: (Score:2)
Nothing new here.
And that's the point, right? It's nothing new yet some vendors with some very widely distributed software still have the vulnverability.
Re:What's a DLL? (Score:4, Informative)
Nothing new, because it is how Windows was designed from the early days.
Re:What's a DLL? (Score:5, Informative)
Re: (Score:2)
Why implement it ? That sounds like too much work!
Re: (Score:3)
I would say that Microsoft could improve on desktop applications by giving them their own namespace or user space (a la Android) but instead they now call these "legacy apps" and have the unrealistic expectation that you use universal apps which do have these protections.
I say unrealistic because universal apps don't have anywhere near the capability set that you can get with "legacy apps", and there's no reason to write new desktop applications anymore because typically the best way to deliver your applica
%WINDIR%, %SYSTEM32%, %CSIDL_PROGRAM_FILESX86% (Score:2)
You would "hard code" using system variables like this:
%CSIDL_PROGRAM_FILESX86%\Avast\Sanner\foo.dll
That would end up being "the right place" no matter which drive letter has your Program Files directory. It wouldn't load hacker\foo.dll from any location.
Re: (Score:2)
In which case, what happens if you want to install your applications somewhere other than the default progra~1 directory?
There's a var for "this program's install folder " (Score:2)
There is a similar variable for "this program's installation directory", I believe. Generally, though, your DLLs should go where DLLs belong. Fighting against the design of the OS tends in increase the risk of a security exposure, in general.
Re: (Score:2)
isn't the code for a DLL loaded into a shared location in memory?
The code in a DLL is usually shared among all the processes that use the DLL
https://en.wikipedia.org/wiki/... [wikipedia.org]
so if you copy it to .../MyApp/Foo.dll doesn't that defeat that "feature"? why use a DLL at all at that point?
sincerely yours,
not a windows developer
Re: (Score:1)
No, I don't use Windows on my computer... No, I am not a shill.
But...
At some point, it's time for the programmers to do things the right way and not expect the OS to prevent them from making mistakes. I know it's fun to blame Microsoft when you don't know better or understand the problem but, really, this should not be a problem because the people writing the program are responsible for their DLLs and their usage. I know, I know... That does actually mean that they're accountable and accountability is a sca
Re: (Score:2)
Well the problem seems to be that Windows will load DLL files from the same directory that the executable is in by default, and this behaviour is retained for backwards compatibility because a lot of programs expect to work this way...
This is yet another case of a serious design flaw in windows which causes ongoing security problems, and cannot be easily fixed without breaking compatibility and/or extra humps for users or developers to jump through.
This is exploitable by preloading a user's downloads direct
Re: (Score:1)
Or, alternatively, don't let code access your system that you don't want. In other words, keep it locked down. How did the malicious DLL get into that folder, specifically, and was able to be called? And, if they can do that, why not just compromise the system in a hundred other ways instead of some half-assed way that might not work by using a DLL? They've already got access rights to put the DLL there. If they can do that then why do this? Just avoid it, as a programmer, on general principle but it's hard
Re: (Score:2)
>They've already owned the box just to put the DLL there.
Not exactly.
With UAC a prompt occurs to get administrative access, if this occurs at a time when the user does not expect it they may very well say no. Drive by downloads are one particular class of bug that can put a file in downloads, but have no risk of executing the file at that time, yes they are a bug that needs fixed, but one that seems to commonly occur. It is only later when an administrative installer executes that the system can be full
Re: (Score:2)
Think is, as Raymond would say, you're already on the other side of the hatchway. If you can write arbitrary malicious DLLs in the user's downloads folder, then why not just patch the .exe you find there?
Re: (Score:2)
That's because it's only a vulnerability in retrospect -- it was intended as a feature.
(Linux shared libraries -- the fact that every application can use the same copy of, say, GTK instead of having to replicate it -- are the same kind of deal.)
I haven't read the article, but I suppose the countermeasure is that DLLs should be signed or have hashes checked before loading or something like that.
Re:What's a DLL? (Score:4, Informative)
TFA is a "beat up" (likely paid for by Oracle), it does not explain how the attacker is able to put the compromised dll on the machine in the first place. If an attacker can put a random binary on your local drive then they already own your machine. What a random installer subsequently does on a compromised machine is irrelevant to how the machine was hacked.
Car analogy: If a miscreant cuts your brake line without your knowledge, it is not the manufacturer's fault that the brakes no longer work as advertised. If the manufacturer's can make it more difficult to cut the brake line that's great, but they cannot, and should not, be held accountable for malicious damage caused by someone who had unrestricted access to your brake line.
Re: (Score:2)
Some browsers will auto save files to the designated downloads location, a malicious website can exploit this feature to get a dll into your downloads directory. If you then execute an installer from the same directory then you can be infected.
Getting a file into your downloads directory is not a compromise as the file has not been executed, and on other platforms the presence of malware in your download directory is harmless unless you actually go out of your way to execute it.
Re: (Score:2)
Uh, if my browser silently downloads (executable!) files without me knowing, yeah, that's a compromise.
Re: (Score:2)
IE6 was highly exploitable in its default configuration, did that make it simply a feature?
Re: (Score:2)
> If an attacker can put a random binary on your local drive then they already own your machine
Pretty much no.
>If a miscreant cuts your brake line without your knowledge,
Terrible analogy. Because it's not what's occurring here. They don't have unrestricted access to critical systems on your car. It's more like they put a brake line cutting machine in your front seat. It's not until you get into the car and say "Are you sure you want to run the program START CAR with administrative access" that your li
Re: (Score:2)
This (binary planting) is also the reason why everybody on Linux warns you about setting PATH to include CWD, of if you really have to to append it at the back.
Re: (Score:1)
The problem with DLLs are that there are many versions of the same DLL that often need to run at the same time. Which means that you can substitute one version for another, and hijack a program. Nothing new here.
If only it were as benign as that. You can even inject DLLs into a system process, and then have code executed as that process unless things have changed dramatically in the past 4 years.
Re: (Score:2)
I can see this _IF_ the code already attempts a manual load call to the runtime, but I have never seen a method to force an unintended DLL to be loaded into a process space unless the originating binary is modified.
Re:What's a DLL? (Score:5, Informative)
Literally the FIRST hit on Google leads to this:
https://en.wikipedia.org/wiki/... [wikipedia.org]
tl;dr - it's not really a problem to force an arbitrary process to load a DLL, *if you are an administrator*. As noted elsewhere though, if you have the power to inject, you already owned the machine, so why bother?
Re: (Score:2)
Did you actually read that article? Seriously.
Re: (Score:1)
Re: (Score:2)
Just earlier today, I ran this very command:
sudo ln -sf /lib/$(arch)-linux-gnu/libudev.so.1 /lib/$(arch)-linux-gnu/libudev.so.0
I did not read the article but the above command not only was acted on - it had the effect I wanted. I better go file a bug report!
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Or written by people who primarily develop for non windows platforms where this isn't a problem...
Why should developers on windows have to jump through so many hoops that they don't need to know about on other platforms?
Re:What's a DLL? (Score:4, Informative)
Dynamic-link library (also written unhyphenated), or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL, OCX (for libraries containing ActiveX controls), or DRV (for legacy system drivers). The file formats for DLLs are the same as for Windows EXE files – that is, Portable Executable (PE) for 32-bit and 64-bit Windows, and New Executable (NE) for 16-bit Windows. As with EXEs, DLLs can contain code, data, and resources, in any combination.
https://en.wikipedia.org/wiki/Dynamic-link_library
Re:What's a DLL? (Score:5, Insightful)
- Why are you here?
- Why the semicolon?
Re: (Score:2)
"DLLs" are a proprietary technology from a single vendor.
Yes a proprietary technology from the largest vendor of IT software in the world.
A proprietary technology which has been around for 20 years.
A proprietary technology that every programmer bashes their head against at some point in their career.
A proprietary technology that is taught about at universities.
A proprietary technology which every computer user in the past 20 years has received at least one error message about.
did I forget anything?
Oh yeah of course. A proprietary technology that was deemed a laug
Re: (Score:2)
Do you even have a geek card to turn in? You've never heard of "DLL Hell"? WIll wonders never cease...
Re: (Score:2)
Some people using the site now were probably not even born when "DLL hell" was still something that was actually a problem, rather than just a term that Slashdotters parroted.
Re: (Score:2)
Some people using the site now were probably not even born when "DLL hell" was still something that was actually a problem, rather than just a term that Slashdotters parroted.
That would mean people who haven't been born yet. Revo uninstaller to the rescue
Re:What's a DLL? (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Do you even have a geek card to turn in?
Teun's geek card has a 5 digit uid, licensed for advanced deadpan sardonic commenting.
Yours is 4 digit? Damn, you might have to retake your sarcasm detection certification.
Re: (Score:2)
You have to know enough about Windows to realise that it should be avoided. In my case, this happened in early 2005.
Re: (Score:1)
It's like cheese. If You wanna a sandwish You use already made cheese and don't need to milk a cow, then process the milk to turn into cheese. To me, 99.99% of anything is cheesy, unless it's not developed by me. That's explains the good cheese in the market from my perspective.
Is JDBC a fix for this problem? (Score:1)
I have asked my Hyderabad team to investigate this problem and they have reported back to me that JDBC is a fix for it.
Can anyone confirm if JDBC is a fix for this DLL problem?
How would a Java database connectivity layer fix this if it's a problem with a C++ program interacting with a C++ DLL?
Re: (Score:2)
You should immediately discontinue using this team...
Token car analogy:
Q: "There is a problem with the ignition system in my car. Please investigate!"
A: "Tires will fix your problem! Get Tires!"
Re:What's a DLL? (Score:4, Informative)
Dynamic Link Library or Shared Object. In the early days of UNIX, it was found that the huge amount of space was being used by GUI applications and command line programs statically linked to common libraries like standard IO, sockets, X-windows, GUI's, maths and crypto libraries. Huge amounts of disk space were being used to stored duplicate copies of compiled code. So they figured that it would be more cost effective to dynamically link at run-time instead of a compile-time with the bonus that they could be compiled into relocatable code only loaded into system when needed.
If you run "ldd" on a program, you will see all the libraries needed for that program.
By separating the library files from the applications, any bugs or problems could be fixed through a simple upgrade. The downside is that someone can rootkit a system by replacing a DLL used by applications that need system access.
Re: (Score:2)
You may incinerate your geek card. We don't even want it back.
Re: (Score:1)
The obvious question is; what's a DLL?
....and this ladies and gentlemen, are the coders we now have on /.
Re:What's a DLL? (Score:4, Funny)
It's a shared object for a toy computer.
Are you suggesting that Windows makes a toy computer? Wouldn't a toy GUI consist mostly of big colored squares, dumbed down applications, and a supervisor monitoring your usage patterns?
Re: (Score:1, Troll)
Are you suggesting that Windows makes a toy computer? Wouldn't a toy GUI consist mostly of big colored squares, dumbed down applications, and a supervisor monitoring your usage patterns?
And I present .... METRO
Re: (Score:2)
Re: (Score:2)
And I present...WOOSH!
DLL Hijacking (Score:5, Informative)
There's an informative (and non-PDF) post on Fortinet's blog [fortinet.com] discussing DLL hijacking. You can use a registry tweak to harden a system against this technique.
Update from TFA (Score:1)
"UPDATE: Mr. Kanthak has told Softpedia that "most of the companies/vendors I contacted patched their products." Rapid7 went so far as to withdrew their ScanNow product altogether.
"Some of the companies/vendors which did not reply to my reports in the first place contacted me after they became aware of the [public disclosure] posts and fixed their installers, or are working on a fix now," Mr. Kanthak also added.
Additionally, there also some other software products for which Mr. Kanthak has not yet posted a
Other side of the airtight hatchway (Score:1)
If you have the ability to write a malicious DLL into a folder for the executable, you already have the ability to run administrator level code. Why bother with the DLL?
cf: Raymond Chen
Re: (Score:3)
I don't know how code signing verification policy works on Windows, but on OS X, Gatekeeper checks only an app's main executable for a signature against an Apple-issued code signing certificate, not other executables in the same folder that it loads.
Re:Other side of the airtight hatchway (Score:4, Insightful)
In this case it would be up to the installer to verify that it is loading a valid library. The problem is if somehow a certain named and versioned dll can be downloaded to the same folder you execute the installer from it can execute arbitrary code when the installer initializes it using the elevated privileges you granted the installer.
So in order to implement this side-loading you would to first need take advantage of another vulnerability to get that library in the right place.
In order to protect against this they could simply not include the execution folder in the search path and validate the library in a manner other than just the name and version which can be faked.
If someone where to try and exploit this chances are they would attempt to run their code in the background while leaving the rest of the library untouched so the installer would complete without tipping off the user. This means something as simple as a file size could validate there wasn't a bunch of extra code present, although there are better methods for validating a library.
Re: (Score:1)
With Apple? A known good product (XCode) was replaced with a "changed" version. That changed version did "bad things".
Now that you're following along... Put up versions of all the afflicted applications... with 'adjusted' DLLs. What's that? You need my permission to install that program that I just downloaded? Of course you do *clicks accept permission eleva
Re:Other side of the airtight hatchway (Score:5, Informative)
Actually, you only have to insert it into the current working directory. For example: Get a dll file downloaded into Downloads, then wait for the user to run Setup.exe and have UAC hand it admin privileges. Now your non-privileged process has put a DLL file in the Downloads directory *with* Setup.exe, which loaded Downloads\CommDlg32.dll and was granted Administrator access. Now you have admin access.
Microsoft Word used to do this if you had a DLL file with the same name as a System32 DLL in the same path as a Word document.
Re: (Score:3)
MSDN is saying, by default, "Safe DLL" loading is used, in which the current directory is only used if loading the DLL from most other locations failed. So this would not be viable any more. It sounds like this problem was identified and fixed long ago. Any attempt to exploit this now would require gaining greater access first, and once you're there there's no point to using DLL hijacking any more.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx [microsoft.com]
Re:Other side of the airtight hatchway (Score:5, Informative)
If you have the ability to write a malicious DLL into a folder for the executable, you already have the ability to run administrator level code. Why bother with the DLL?
cf: Raymond Chen
Exactly. Raymond covered this a few times in the past.
Using delayload to detect functionality is a security vulnerability [microsoft.com]
It rather involved being on the other side of this airtight hatchway: Disabling Safe DLL searching [microsoft.com]
If Safe DLL Search Mode is enabled, then the Current Directory isn't searched until after all the system directories are searched. Safe DLL search mode is enabled by default starting with Windows XP with Service Pack 2 (SP2). [microsoft.com]
This sounds like a complete non-story.
Re: (Score:1)
Why is this a flaw in the app, and not the OS? (Score:4, Interesting)
I'm aware of the Windows DLL load behavior, and how it creates "DLL Hell." I never thought of the security implications, because I assumed that Windows behaved more ... sanely.
The root of the problem is that the affected applications are installers, which need to be run with elevated rights. On Linux systems, for example, when an application is run with escalated rights (through SUID or sudo), the dynamic library loader uses only the system library paths and ignores user specified paths (such as the LD_LIBRARY_PATH environment variable).
Why the HELL doesn't Windows do the same for apps run as administrator?
Re:Why is this a flaw in the app, and not the OS? (Score:5, Informative)
MSDN documents guidelines for preventing malicious DLL loading [microsoft.com]. Windows has already cut off "current directory" forms of attacks by changing the DLL load order (called "Safe DLL Search Mode" in that document), and with Vista locking down Program Files for admin-only access, "application directory" attacks are also out unless apps intentionally install themselves elsewhere (then they're on their own). As for installers, users have to get tricked into downloading the DLL first, and at least Chrome gives you a big warning that the file is suspicious due to its extension. And if you can get the user to do that, you might as well just give them an EXE and skip the warning. It's easier to put together a malicious EXE too.
Re:Why is this a flaw in the app, and not the OS? (Score:5, Funny)
...because I assumed that Windows behaved more ... sanely.
After all these years, why the hell would you think that?
Re: (Score:2)
That's not app-specific behavior. That's how the Windows library loader works.
Re:Why is this a flaw in the app, and not the OS? (Score:4, Interesting)
Any directory in the DLL search path for a normal application installed in a normal location is only writable by an (elevated) administrator user. If you can drop a random DLL file into such a folder you've already got administrator rights on the machine, so why make things any more complicated?
You've obviously never heard of ClickOnce then. ClickOnce deployment technology, available since .NET Framework 2.0, allows a signed application and its related DLLs to be downloaded into a folder within the user's own AppData folder structure and executed from there. It doesn't require Administrator rights to do this because it's within the user's own AppData folder structure. Just because an application is signed doesn't make it trustworthy.
Re: (Score:2)
I think the complaint is that the LD_LIBRARY_PATH equivalent is doing questionable things given the conventions of the target platform.
It's hard to say as there's zero details in the article and I don't have time to research what I don't really care about that much.
How to link statically with LGPL program (Score:2)
An LGPL program can be linked statically to a proprietary program so long as the proprietary program's publisher makes available to its licensees a set of working .o files that can be linked to a new version of the LGPL program.
Re: (Score:3)
It isn't a problem, and the installer need take no special measures. The system's loader restricts the search path for dynamic libraries when it's running with elevated privileges so you don't accidentally run an infected library in some random location (for example, the download directory).
There are also techniques available to load libraries from a specific path after the program starts rather than at load time. You can use that to choose a specific full path to the exact library you want to load and it s
There are literally dozens of them... (Score:3, Funny)
DOZENS!
static linking on windows (Score:1)
Can static linking on windows be done? I mean, Firefox, who cares? But products like truecrypt should be statically compiled, and require no resources from their operating system.
Re: (Score:2)
Re: (Score:3)
It does leave you permanently vulnerable to any flaws in the particular version of the library you linked against, or such is my understanding. At least with dynamic linking you can blame the user for not keeping up to date!
I still static link though because whenever I upload something (using a video filtering plugin) at least one person won't have the right runtime installed at all.
Re: (Score:3)
It does leave you permanently vulnerable to any flaws in the particular version of the library you linked against, or such is my understanding.
The assumption being that anyone (for most definitions of anyone) knows what DLLs their application loads and what the status of their patch levels are.
I still static link though because whenever I upload something (using a video filtering plugin) at least one person won't have the right runtime installed at all.
Which IMHO is the main mitigating factor -- what's the
Re: (Score:3)
Learning Coding? (Score:2)
Start learning security issues early on!
Sounds to me after all of Slashdot's articles that many software teams don't have a coding security expert or security team or we wouldn't have all these flaws.
Brain replacement vulnerability (Score:2)
More than tens of software products are vulnerable to key loggers installed in keyboard cables. More than tens of software products are vulnerable to compromise when executed from compromised systems.
Come on people fix your vulnerable software or we will publically slut shame you for your indifference.
Barn door, and all that... (Score:2)
Am I alone in thinking that if malicious code has admin level write access to system disks then you're already fubar?
The horse is gone! Shut the barn door!
Whatever is downloaded ends up being run as admin (Score:3)
I'm going to simplify this a bit, but consider you download two things songlist.zip. You extract songlist.zip, which is a data. You don't execute anything in that download. You just extract it to your downloads folder and use notepad to open the resulting songlist.txt. You don't notice that it also included a file called netssl.ddl, which sits in your downloads folder.
Later, you download mcafee_setup.exe. You run macafee_setup.exe, which needs to run as admin. mcafee_setup.exe makes use of netssl.dll. I
Re: (Score:2)
So as a user you downloaded a suspect binary but it's the OS that's at fault?
It's certainly true that Windows sucks for this kind of issue, and always has, but there's only so much you can do to protect idiot users from themselves.
Yes, downloading fdisk shouldn't run it (Score:2)
> So as a user you downloaded a suspect binary but it's the OS that's at fault?
Yes, it's a security flaw in the OS. I should be able to download fdisk.exe (as an unprivileged user) without the OS running fdisk.exe /wipe c: (as admin). Downloading as a user shouldn't mean executing as admin.
NO - Please do not post Click Bait headlines (Score:2)
This is slashdot. Unless you are being sarcastic about a click-baity site that we need to laugh at, "Simple Bug" is not a valid replacement for "DLL Hijacking" or, more descriptively, "DLL Side Loading" or "DLL replacement."
You want to know what will make Slashdot better? Good headlines is a fantastic start. :-)
Use of language (Score:1)
Still depends on user trusting installer (Score:3)
installations requiring admin (Score:2)
The problem is the practice of requiring admin privileges to install most software. Software should not require admin install unless they really need it. Common frameworks (which are a big user of DLLs) do exacerbate the problem since they often want to be installed in a root location so all the applications can share it.
A solution is to forbid third parties from bundling installers for common framework runtime binaries. If the framework is needed, then either install the binaries in the application directo
New Vulnerability! (Score:1)
Guys! I discovered a new vulnerability in Windows:
If you replace an executable with a different executable and then execute it, you actually execute the new executable and not the executable you replaced. Where should I submit my paper for publication?
I mean, this is a little unfair (Score:2)
I like shitting on Windows apps as much as the next guy, but if you can replace a library on the drive, aren't you just going to like... win? Maybe there's more protection on real systems, but it's a binary that gets run with the permissions and privileges of whatever is running it. Can someone explain to me how this is a larger concern, and what was done to patch the security of this?
It stands to reason that if you can overwrite a dll, you can overwrite a lot of stuff, same as with an .so or something.
Follow the money! (Score:1)
That's a lot of name-dropping. Wonder if said researcher asked for a bit of hush money and if you paid up you were taken off the list? Smear campaigns for cash are hardly new.
Re: (Score:2)