Executive Summary
Summary | |
---|---|
Title | Microsoft Windows based applications may insecurely load dynamic libraries |
Informations | |||
---|---|---|---|
Name | VU#707943 | First vendor Publication | 2010-08-25 |
Vendor | VU-CERT | Last vendor Modification | 2010-09-23 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#707943Microsoft Windows based applications may insecurely load dynamic librariesOverviewSome applications for Microsoft Windows may use unsafe methods for determining how to load DLLs. As a result, these applications can be forced to load a DLL from an attacker-controlled source rather than a trusted location.I. DescriptionDynamically Linked Libraries (DLLs) are executable software components that are incorporated into a program at run-time rather than when the program is compiled and linked. Functions included in these libraries can be loaded in different ways by an application. In the case of run-time dynamic linking, a module uses the LoadLibrary() or LoadLibraryEx() functions to load the DLL at run time. If the location of the DLL to be loaded is not specified (such as specifying a fully qualified path name) by the application, Microsoft Windows defines an order in which directories are searched for the named DLL. By default, this search order contains the current directory of the process.If an attacker can cause an affected application to call LoadLibrary() while the application's current directory is set to one controlled by the attacker, that application may run the attacker's code from a specially named DLL also supplied in that directory. This can occur when the affected application opens a normal file typically associated with it from the attacker-controlled directory. The specific name of the DLL that an attacker would need to choose varies depending on the affected application.
The vulnerability described generically above can be manifest in a variety of software products. Please see the Vendor Information section of this document for information about specific applications that may be affected by this issue.
Developers of applications for the Windows platform should ensure that their applications call SetDllDirectory() with a blank path before calling LoadLibrary() to ensure that the DLL is not loaded from the current directory. More information about how to load libraries securely can be found in the following Microsoft articles: Dynamic-Link Library Security and Another technique for Fixing DLL Preloading attacks.
According to Microsoft Security Advisory 2269637: Note This workaround requires installation of the tool described in Microsoft Knowledge Base Article 2264107. Microsoft has released a tool which allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis. Customers who are informed by their vendor of an application being vulnerable can use this tool to help protect against attempts to exploit this issue. Vendor Information
Referenceshttp://www.cert.org/blogs/vuls/2008/09/carpet_bombing_and_directory_p.html Instances and variations of this vulnerability were independently discovered by a number of researchers, including Georgi Guninski; Simon Raner, Jure Skofic and Mitja Kolsek of ACROS Security; Taeho Kwon and Zhendong Su; H.D. Moore. Some vendor information comes from Secunia. This document was written by Chad R Dougherty.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/707943 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:7217 | |||
Oval ID: | oval:org.mitre.oval:def:7217 | ||
Title: | Apple iTunes DLL Loading Arbitrary Code Execution Vulnerability | ||
Description: | Untrusted search path vulnerability in Apple iTunes before 9.1, when running on Windows 7, Vista, and XP, allows local users and possibly remote attackers to gain privileges via a Trojan horse DLL in the current working directory. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-1795 | Version: | 13 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 | Product(s): | Apple iTunes |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
67329 | Apple iTunes for Windows Path Subversion Arbitrary DLL Injection Code Execution Apple iTunes is prone to a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done from the local file system or a USB drive in some cases. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-03-31 | Name : The remote host contains an application that is affected by multiple vulnerab... File : itunes_9_1.nasl - Type : ACT_GATHER_INFO |
2010-03-31 | Name : The remote host contains a multimedia application that has multiple vulnerabi... File : itunes_9_1_banner.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-04-27 00:51:00 |
|
2013-05-11 00:57:18 |
|