Executive Summary

Summary
Title Microsoft Windows Insecurely Loads Dynamic Libraries
Informations
Name TA10-238A First vendor Publication 2010-08-26
Vendor US-CERT Last vendor Modification 2010-08-26
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Due to the way Microsoft Windows loads dynamically linked libraries
(DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code.

I. Description

Microsoft Windows supports dynamically linked libraries (DLLs) that are loaded when needed by an application. DLLs are typically loaded when the application is first started; however DLLs may be loaded and unloaded while the application is running. An application can request a DLL file in a variety of ways, and Windows uses several different search algorithms to find DLL files. The interaction between the application and Windows can result in a DLL file being loaded from the current working directory of the application, instead of the Windows system directory or the directory where the application is installed.

The current working directory could be the desktop, a removable storage device such as a USB key, a Windows file share, or a WebDAV location. When a file associated with an application is opened, a DLL in the same directory as the file may be loaded. Although an attacker may not have permission to write to the Windows system or application directories, the attacker may be able to write a DLL to a directory used to store files, or the attacker could provide their own directory.

Attacks against this type of vulnerability have been referred to as
"binary planting." Please see Vulnerability Note VU#707943 and Microsoft Security Advisory 2269637 for more information.

II. Impact

By placing a DLL with the correct name (and possibly the relative directory path) in the current working directory, an attacker could execute arbitrary code with the privileges of the application that loads the DLL.

III. Solution

Individual applications that run on the Windows platform may require patches or updates. Microsoft Knowledge Base article KB2264107 describes an update that provides a registry key that can prevent Windows from searching the current working directory for DLL files.

Information about specific solutions for different vendors, general mitigation techniques, and secure ways for applications to load DLLs can be found in the Vendor Information and Solution sections of Vulnerability Note VU#707943.

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA10-238A.html

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-02-06 19:08:25
  • Multiple Updates