Executive Summary

Summary
Title Microsoft Windows based applications may insecurely load dynamic libraries
Informations
Name VU#707943 First vendor Publication 2010-08-25
Vendor VU-CERT Last vendor Modification 2010-09-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#707943

Microsoft Windows based applications may insecurely load dynamic libraries

Overview

Some applications for Microsoft Windows may use unsafe methods for determining how to load DLLs. As a result, these applications can be forced to load a DLL from an attacker-controlled source rather than a trusted location.

I. Description

Dynamically Linked Libraries (DLLs) are executable software components that are incorporated into a program at run-time rather than when the program is compiled and linked. Functions included in these libraries can be loaded in different ways by an application. In the case of run-time dynamic linking, a module uses the LoadLibrary() or LoadLibraryEx() functions to load the DLL at run time. If the location of the DLL to be loaded is not specified (such as specifying a fully qualified path name) by the application, Microsoft Windows defines an order in which directories are searched for the named DLL. By default, this search order contains the current directory of the process.

If an attacker can cause an affected application to call LoadLibrary() while the application's current directory is set to one controlled by the attacker, that application may run the attacker's code from a specially named DLL also supplied in that directory. This can occur when the affected application opens a normal file typically associated with it from the attacker-controlled directory. The specific name of the DLL that an attacker would need to choose varies depending on the affected application.

II. Impact

A remote, unauthenticated attacker with the ability to supply a malicious DLL may be able to execute arbitrary code on a vulnerable system. In the most likely exploit scenario, an attacker could host this malicious DLL on a USB drive or network share. The attacker-supplied code would be run with the privileges of the user of the affected application.


In some cases of affected applications, an attacker who already has access to a local folder on the system could use this vulnerability in a local application running with elevated privileges to escalate their own privileges on the system.

III. Solution

Apply a patch from the vendor

The vulnerability described generically above can be manifest in a variety of software products. Please see the Vendor Information section of this document for information about specific applications that may be affected by this issue.

For Developers:

    Ensure that applications do not load libraries from insecure locations

    Developers of applications for the Windows platform should ensure that their applications call SetDllDirectory() with a blank path before calling LoadLibrary() to ensure that the DLL is not loaded from the current directory. More information about how to load libraries securely can be found in the following Microsoft articles: Dynamic-Link Library Security and Another technique for Fixing DLL Preloading attacks.
For Administrators:
    Disable loading of libraries from the current working directory

    According to Microsoft Security Advisory 2269637:

    Note This workaround requires installation of the tool described in Microsoft Knowledge Base Article 2264107.

    Microsoft has released a tool which allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis.

    Customers who are informed by their vendor of an application being vulnerable can use this tool to help protect against attempts to exploit this issue.

    After the update listed in KB article 2264107 has been installed, the following registry value can be used to remove the current working directory from the default DLL search order:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
    "CWDIllegalInDllSearch"=dword:ffffffff

    Note that making this change may cause some applications to not behave properly.

    Disable the WebClient service

    According to Microsoft Security Advisory 2269637:

    Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

    To disable the WebClient Service, follow these steps:
    1. Click Start, click Run, type Services.msc and then click OK.
    2. Right-click WebClient service and select Properties.
    3. Change the Startup type to Disabled. If the service is running, click Stop.
    4. Click OK and exit the management application.

    While this workaround does not remove the vulnerability, it does block an attack vector for this vulnerability.

    Block outgoing SMB traffic

    Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will help prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block an attack vector for this vulnerability.

Vendor Information

VendorStatusDate NotifiedDate Updated
AbventAffected2010-09-01
AdobeAffected2010-09-02
Apple Inc.Affected2010-08-30
Atomix ProductionsAffected2010-09-01
Autodesk, IncAffected2010-09-02
Avast! Antivirus SoftwareAffected2010-08-26
Bentley SystemsAffected2010-09-02
Bitmanagement SoftwareAffected2010-09-01
BitTorrentAffected2010-08-26
Cisco Systems, Inc.Affected2010-08-26
Corel CorporationAffected2010-08-30
CyberLink CorporationAffected2010-08-302010-08-30
DAEMON ToolsAffected2010-08-30
DivX, Inc.Affected2010-08-30
EZB SystemsAffected2010-09-01
Fengtao SoftwareAffected2010-09-01
GFI Software, Inc.Affected2010-09-01
Gilles Vollant SoftwareAffected2010-09-01
GRAPHISOFTAffected2010-09-01
HTTrackAffected2010-09-01
IBM CorporationAffected2010-09-01
InkscapeAffected2010-09-01
IZArcAffected2010-08-26
MaxthonAffected2010-09-01
Microchip Technology Affected2010-09-01
Microsoft CorporationAffected2010-09-02
MozillaAffected2010-09-02
NetStumblerAffected2010-09-01
NokiaAffected2010-09-01
NullsoftAffected2010-08-26
OperaAffected2010-08-26
PGP CorporationAffected2010-09-02
PixiaAffected2010-09-02
PKWAREAffected2010-08-26
RealNetworks, Inc.Affected2010-08-26
SiSoftwareAffected2010-09-01
Smart ProjectsAffected2010-09-01
Sonic SolutionsAffected2010-08-26
Sony CorporationAffected2010-09-01
SweetScape SoftwareAffected2010-08-26
TeamViewerAffected2010-08-26
TechSmith CorporationAffected2010-08-26
TortoiseSVNAffected2010-09-01
Tracker SoftwareAffected2010-09-02
VideoLANAffected2010-08-26
VMwareAffected2010-08-24
WinMergeAffected2010-09-01
WiresharkAffected2010-09-02
Wolters KluwerAffected2010-09-02

References

http://www.cert.org/blogs/vuls/2008/09/carpet_bombing_and_directory_p.html
http://blog.mandiant.com/archives/1207
http://msdn.microsoft.com/en-us/library/Aa297182
http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html
http://msdn.microsoft.com/en-us/library/ms684175%28VS.85%29.aspx
http://www.acrossecurity.com/aspr/ASPR-2010-04-12-1-PUB.txt
http://www.acrossecurity.com/aspr/ASPR-2010-04-12-2-PUB.txt
http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt
http://www.securityfocus.com/bid/1699/discuss
http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
http://blog.rapid7.com/?p=5325
http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
https://www.microsoft.com/technet/security/advisory/2269637.mspx
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
http://blogs.msdn.com/b/david_leblanc/archive/2010/08/23/another-technique-for-fixing-dll-preloading-attacks.aspx
http://support.microsoft.com/kb/2264107
http://www.guninski.com/officedll.html

Credit

Instances and variations of this vulnerability were independently discovered by a number of researchers, including Georgi Guninski; Simon Raner, Jure Skofic and Mitja Kolsek of ACROS Security; Taeho Kwon and Zhendong Su; H.D. Moore. Some vendor information comes from Secunia.

This document was written by Chad R Dougherty.

Other Information

Date Public:98-03-18
Date First Published:2010-08-25
Date Last Updated:2010-09-23
CERT Advisory: 
CVE-ID(s):CVE-2010-1795
NVD-ID(s):CVE-2010-1795
US-CERT Technical Alerts: 
Metric:64.12
Document Revision:46

Original Source

Url : http://www.kb.cert.org/vuls/id/707943

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:7217
 
Oval ID: oval:org.mitre.oval:def:7217
Title: Apple iTunes DLL Loading Arbitrary Code Execution Vulnerability
Description: Untrusted search path vulnerability in Apple iTunes before 9.1, when running on Windows 7, Vista, and XP, allows local users and possibly remote attackers to gain privileges via a Trojan horse DLL in the current working directory.
Family: windows Class: vulnerability
Reference(s): CVE-2010-1795
 Version: 13
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
 Product(s): Apple iTunes
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 59

Open Source Vulnerability Database (OSVDB)

Id Description
67329 Apple iTunes for Windows Path Subversion Arbitrary DLL Injection Code Execution

Apple iTunes is prone to a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done from the local file system or a USB drive in some cases. This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source.

Nessus® Vulnerability Scanner

Date Description
2010-03-31 Name : The remote host contains an application that is affected by multiple vulnerab...
File : itunes_9_1.nasl - Type : ACT_GATHER_INFO
2010-03-31 Name : The remote host contains a multimedia application that has multiple vulnerabi...
File : itunes_9_1_banner.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2016-04-27 00:51:00
  • Multiple Updates
2013-05-11 00:57:18
  • Multiple Updates