Microsoft Expression Design wintab32.dll Library Loading

2012-04-25T00:00:00
ID SAINT:E9039933ADEE86534817788CECE53317
Type saint
Reporter SAINT Corporation
Modified 2012-04-25T00:00:00

Description

Added: 04/25/2012
CVE: CVE-2012-0016
BID: 52375
OSVDB: 80001

Background

Microsoft Expression Design is a commercial professional illustration vector and raster graphic design tool for web images.

Problem

Microsoft Expression Design contains a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for the **wintab32.dll** library. This path includes directories that may not be trusted or under user control. By placing a custom version of **wintab32.dll** in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program if a user can be tricked into opening a .design file from the local file system or a USB drive in some cases. This attack can be leveraged remotely by placing the malicious **wintab32.dll** on a network share or extracted archive downloaded from a remote source.

Resolution

Apply the patch referenced in Microsoft Security Bulletin MS12-022.

References

<http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx>

Limitations

This exploit has been tested on Microsoft Expression Design 2 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).

The executable smbclient must be available on the SAINT host, and a valid SMB user with permission to write to the SMB share is required. The SMB password is not allowed to contain single quotes (').

The target must be able to access the specified SMB share anonymously.

Platforms

Windows