CS.RIN.RU - Steam Underground Community

I'm sure some of you who read tech blogs may have heard about it: DLL preloading.

For those who don't the short summary:


The problem is, that such vulnerabilities are easy to exploit ( depending on the application, clicking a normal HTTP link to open a file on a WebDAV share is enough ) and it's present in a lot of applications. So far at least 40 different applications have been identified to be vulnerable, but a research group named 'Arcos' claims to have tested about 220 programs of which 90% were vulnerable to this. The Register claims at least 200 vulnerable programs. Even high profile programs, such as iTunes, PowerPoint 2010, Opera, Safari, Firefox, WinAmp and uTorrent have been verified to be vulnerable.
The real issue here is, that every single of these applications has to be updated. While fixing the thing is not particularly hard, - a simple C/C++ call to SetDllDirectory(""); does the job - it will take time until all vendors responded.

Security researches as well as Microsoft seem very concerned about this new type of vulnerabilites. Microsoft even released a security advisory on this issue, even though it's not their fault.
To help users to mitigat this, they released an update which allows to specify the CWD DLL loading behavior system wide or for specific applications.

So what do you think? Is this just another media hype or a real critical issue that should concern us all?

_________________
Game Industry Guardian (1K+).

did i understand that right? i only need to visit a manupulated website so a malicious dll file is downloaded automaticly that can remote control my pc and dl even more malicious dlls?

_________________

In theory, yes.

By the way, Opera and Foxit Reader are now claimed to be hit, too.

_________________
Game Industry Guardian (1K+).

What stuns me more than the amount of vulnerable programs or etc is that this is even possible.
I mean isn't that very basic that you make sure that a program only loads proper stuff? Why the possibility (or default assumption) that there are DLLs in the CWD? Why not set the "include dir" to the dir from which the app is launched and be done with it? In what scenario does it make sense to load a DLL for a program from the current working dir?

_________________
ℝ.

I don't think this will affect my health, so then it can't be pandemic :]

Usually yes, but if you do not want to load DLLs from CWD, you need to call SetDllDirectory(""); explicitely.

Historical and compatibility reasons. Some applications ( actually software like Groove 2007 on XP breaks if you'd disable this ) requires CWD-based loading. Microsoft cannot simply remove an item from the DLL search order. In some older software the usage of this is really considerable.
Anyway, Microsoft already introduced with XP SP2 safe DLL search. I should annotate, that the possibility of exploiting this is really, really small. Most of these exploits require safe DLL search being disabled in order to properly work. The risk itself is - in my opinion - rather low therefore. However, some applications ( and from what I see, uTorrent does this for instance ) use LoadLibrary to check for the existance of a library solely, and if it exists, they load it. ( I read uT tries to load some plugins_dll.dll if it exists ). While this is clearly against the best practices Microsoft suggested, it is done nevertheless. ( by the way, SetDllDirectory(""); to disable CWD calls is recommended, too, if you don't need the CWD in the order ). For Firefox, Opera and such I think the DLLs loaded in this manner are mainly dwmapi.dll and other Windows DLLs which would be only replacable this way if safe DLL search is not enabled.

However, I'd still recommend to download the mitigation update and set CWDIllegalInDllSearch system-wide to at least 2. That is, because script kiddies are raiding exploit-db with dozens of such holes in all kinds of apps. If there were any app that is affected if safe DLL search is enabled, then these skiddies are probably on their way trying to use it.

That is done, actually it's the first location the DLL search will look at.

Compatibility. For new applications, it doesn't.

Anyway, I think I should explain the DLL search order a bit:

Without safe DLL search the order ( default on pre-XP SP2 ) is like this:

1. Application folder
2. CWD
3. Windows and system folders
4. PATH folders

With safe DLL search, the CWD and system folders swapped places.
If LoadLibraryEx with LOAD_WITH_ALTERED_SEARCH_PATH is used, the path indicated by the passed lpFileName will be searched instead of the application folder. ( The order of the CWD/Windows folders is also set by safe DLL search mode )
However, if SetDllDirectory is used, the following strategy is used:

1. Application folder
2. SetDllDirectory folder ( if "" is used as parameter, this is skipped )
3. System folders
4. PATH folders

Now the problem is that - even though Microsoft explicitely recommends to set a DLL directory - or to disable it - a very small minority of venders did this.

( fuuuu nginx - Gateway timeout, what the heck is this now again :\ )

_________________
Game Industry Guardian (1K+).

ChrisTX
interesting post, thanks for that

_________________
.. can i has updates?
nicest retired admin ever!

Time for a lot of developers to update their app with "SetDllDirectory("");" then. Well, at least the default is the application directory, so as long as you don't try to load stuff that you don't include with your app by default, you should be fine also. lol.

I wonder, how much "discomfort" do I create for me or the apps, practically, when I "download the mitigation update and set CWDIllegalInDllSearch system-wide to at least 2"?


u

_________________
ℝ.

Precisely.


Setting it to 2 means that DLLs won't be loaded from CWD if the CWD is a WebDAV folder or if the CWD is a SMB folder, but the application was launched from a local folder, and not from network.
Thus it shouldn't pose any problems.
The only higher option is 0xFFFFFFFF which will disable DLL searches in the CWD entirely ( I've got that enabled on my laptop, works very well so far, but I ran into issues with this option on my dad's PC [ XP ]. 0x2 worked fine however on his PC ).


It did, your grammar broke.

_________________
Game Industry Guardian (1K+).

sorry but you broke.

No you, 'so then' is consecutive; 'so that' is causal.

If you'd have quoted the two lines, you'd have known that:


Oh, also on this issue:



Finally, a few words on-topic:

I was puzzled about this too, to be honest, until I found out the Age Of Empires II Expansion ( which is from 2000 ) didn't work for me anymore ( with the 0xFFFFFFFF option ), but the game without expansion worked.

That was when I recalled why that is being assumed. The expansion lies in a subfolder due to a file conflict with the copyprotection files, the rest of the libraries is loaded however from the folder of the game. That means, the game requires two library folders, one where the application lies in, and a secondary one.

While this is achievable with the SetDllDirectory() function, there is a small problem existing: The game was released in the year 2000. That function was introduced later on, though:


What disappointed me nevertheless, is however, that Zuma and Zuma's Revenge rely on the same CWD loading measure. I doubt these games need to support Windows 2000 though.
These conflicts lead me to revert CWDIllegalInDllSearch to 0x2 therefore. With this option being set, the whole thing works fine again.

_________________
Game Industry Guardian (1K+).

Although the chance of exploitation is rather small as I previously elaborated, even Microsoft themselves highly recommend using 0x2 or even 0xFFFFFFFF, with 0x2 as exception for apps that break when that is set, system wide.

Further reading:
http://blogs.technet.com/b/srd/archive/ ... ector.aspx
http://blogs.technet.com/b/msrc/archive ... 69673.aspx

Basically, you can use the Fix It they made available on the patch's site. Clicking it will set the blocking to 0x2 system-wide.

( By the way, I don't know about the other mentioned programs, but uTorrent at least has been patched already )

_________________
Game Industry Guardian (1K+).

I love them Fix Its. perfect for lazy people, and it means they approve of the respective registry changes, so they#re safe and recommended.

_________________
ℝ.

remote control progam = botnets
what we usually see is that a specific java script can remote download files (i think)
and botnets are controlled by RATS (some sort of program that controls the bots basically bots mean "victims PC"
look at hackforums etc. )

then they steal all sorts of info( credit cards, paypal, steam etc.) from you and can even cause network attacks on specfic networks and even remote upload or download files from your pc!

_________________
Signature removed.

Mind if you use the macros instead their flags? Too lazy to look up msdn atm

_________________
There are 10 types of people in this world:
Those who get Binary, And those who don't.