Microsoft Internet Explorer 11 DLL Hijacking

`Abstract  
--------  
Microsoft Internet Explorer 11 MSHTML.DLL Remote Binary Planting  
Vulnerability  
Affected Version: MSHTML.DLL 11.0.9600.18231 and probably below on  
Windows 7 SP1  
Vendor Homepage: http://www.microsoft.com  
Severity: high  
Status: fixed  
CVE-ID: CVE-2016-0160  
  
Description  
-----------  
Microsoft Internet Explorer 11 ships with MSHTML.DLL referencing various  
DLLs which are not present on a Windows 7 SP1 installation, Windows 10  
is not affected, other Windows versions have not been tested.  
  
According to [1] "MSHTML.DLL is at the heart of Internet Explorer and  
takes care of its HTML and Cascading Style Sheets (CSS) parsing and  
rendering functionality."  
  
Every application using MSHTML.DLL directly or another DLL which  
incorporates MSHTML.DLL (like SHELL32.dll) is prone to binary  
planting[2] (including services running as SYSTEM). So this issue is not  
restricted to Microsoft applications.  
  
In addition certain applications like Microsoft  
Word/Excel/Powerpoint/Project/powershell/... as well as a certain number  
of third party software are prone to remote binary planting due to using  
MSHTML.DLL in some ways.  
  
Technical Details  
-----------------  
MSHTML.DLL on Windows 7 SP1 has missing dependencies for the following DLLs:  
  
API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL  
API-MS-WIN-CORE-WINRT-ERROR-L1-1-0.DLL  
API-MS-WIN-CORE-WINRT-L1-1-0.DLL  
API-MS-WIN-CORE-WINRT-ROBUFFER-L1-1-0.DLL  
API-MS-WIN-CORE-WINRT-STRING-L1-1-0.DLL  
API-MS-WIN-SHCORE-SCALING-L1-1-1.DLL  
DCOMP.DLL  
IESHIMS.DLL  
  
Since all mentioned DLLs are available on a Windows 10 installation my  
assumption is that this might be due to developing for Windows 10 and  
backporting to Windows 7.  
  
Whenever an application is using MSHTML.DLL either directly or via  
indirect dependencies from SHELL32.DLL for instance it tries to find  
API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL using the DLL search order (see [3]).  
  
If a user and/or a remote attacker is able to control one directory in  
the system's DLL search path he can escalate privileges from user to  
SYSTEM in case of a vulnerable service running as SYSTEM.  
  
If a user is tricked to open e.g. a word document from a Windows or even  
WebDAV  
share holding additionally a malicious DLL named  
API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL it is loaded and executed in the  
user's context.  
  
Proof-of-Concept Remote Binary Planting  
---------------------------------------  
1. Add a Word document to a share (e.g. hello.docx) accessible from a  
vulnerableWindows installation.  
2. Add a "malicious" DLL to the same directory and name it  
api-ms-win-appmodel-runtime-l1-1-0.dll  
3. Mount the remote Windows share on a Windows 7 PC  
4. Double-Click hello.docx (with Microsoft Word or Word Viewer)  
The "malicious" DLL is loaded and executed in addition to Word  
  
Solution  
--------  
Microsoft published the following security advisory MS16-037 [4]  
  
Additional Note: The issue is completely fixed only if also MS16-041  
is installed [5]!  
  
Advisory Timeline  
-----------------  
30. Dec 2015 - Informed Microsoft Security Response Center  
31. Dec 2015 - MSRC confirmed receipt  
13. Feb 2016 - Requested status update  
17. Feb 2016 - MSRC confirmed issue  
12. Apr 2016 - MS16-037 published  
15. Apr 2016 - Public Disclosure  
  
Author  
------  
Sandro Poppi <[email protected]>  
  
References  
----------  
[1] https://msdn.microsoft.com/en-us/library/aa741312%28v=vs.85%29.aspx  
[2]  
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx  
[3]  
https://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx  
[4] https://technet.microsoft.com/en-us/library/security/ms16-037  
[5] https://technet.microsoft.com/en-us/library/security/ms16-041  
`