Executables, Other Files Can Be Used in Attacks Similar to DLL-Hijacking

ID THREATPOST:8FE8B9F172682E0100DEF51645A5E7C7
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:36:06


There are a number of other file types that can be used in the same kind of attacks that have been used in the DLL-hijacking exploit in recent weeks. Experts say that executable files, Windows INI files and some other file types can be used in these same attacks.

The attack scenario would be similar to the way that the DLL-hijacking bug can be exploited, although researchers say that most of the scenarios for using EXE files in these attacks aren’t realistic for real-world attacks. Researchers at Acros Security said in a blog post that they had seen EXE files affected by the problem.

“In the last 20 days since the binary planting monster escaped to the
wilderness, eager bug-hunters were focused on unsafe loading of
libraries, and understandably so: free tools were made available, and
instructions were published on how to use monitoring software like
Sysinternals’ Process Monitor for detecting unsafe library loadings. As
it turned out, tools + instructions + 20 days = 117 remotely exploitable vulnerabilities (at the time of this writing). The list is growing and will likely surpass our own list of 396 DLL planting and 127 EXE planting vulnerabilities at some time,” they said in their analysis of the problem.

Acros’s analysis found that in some instances when a process searches for an executable during the launch process, it will look in the directory from which the application is laoded first, and then in the current working directory. If an attacker can plant a malicious executable in that directory, with the same name as a legitimate EXE file, the malicious EXE may get called first.

“Apparently the current working directory is in the second place, which
means that when an application tries to launch the Windows Calculator by
calling something like CreateProcess(NULL,”calc.exe”,…) a malicious calc.exe lurking in the current working directory will get launched instead. And
remotely, too, if the current working directory happens to point to a
remote network share in a local network or on Internet,” the analysis said.

However, one security researcher said that the vectors for using EXE files in this kind of attack are unlikely to be seen in the real world. HD Moore, CSO of Rapid7 and founder of the Metasploit Project, said that he’d seen some cases of other file types being vulnerable to this kind of attack, but didn’t think widespread exploitation was likely.

“Most of the EXE cases are contrived vectors, not realistic for exploits,” he said.

The DLL-hijacking problem first came to light more than 10 years ago, but it gained prominence late last month when Moore released details of the bug, which he’d come across while working on another vulnerability. The problems affects dozens of applications and can be exploited remotely. Previously, experts had thought that the bug could be exploited on local machines only.