I’m writing this quickpost just in case you hadn’t figured this out for yourself: the techniques I described to protect machines from the .LNK vulnerability also help you mitigate the DLL preloading issue.
The .LNK vulnerability mitigation examples I gave with Ariad (no file execute) and SRP prevent loading of DLLs from untrusted locations (USB sticks, network drives, …). These will also prevent DLLs from loading from untrusted sources in the case of DLL Preloading exploits.
Quickpost info
View full post on Didier Stevens
Related Posts
- Quickpost: “It Does No Harm…” or Does It?
You often read about people who use many different security applications to protect their systems. Not only anti-virus, anti-spyware, firewall, HIPS, …, but also some other tools like anti-keyl... - Quickpost: Checking ASLR
Some people asked me for a simple way to check shell extensions for their ASLR support. You can do this with Process Explorer.
Start Process Explorer, and set the lower pane to display DLLs. Select p... - Quickpost: Adobe Reader X
In case you’ve not read Adobe’s announcement: Adobe Reader X is out. Use Adobe’s FTP server if you want to avoid their download manager.
Protected Mode Adobe Reader comes with a sand... - Quickpost: Adding Certificates to the Certificate Store
A couple of people asked me how to get self-signed certificates recognized by Windows.
For example, when you check the digital signature of one of my programs (like ariad.exe), you’ll see this:
... - DLL pre-loading attack vector addressed by Microsoft
We have been discussing the issue of unsafe DLL loading in the lab since the release of the Microsoft advisory about a potential attack vector that uses the default Windows DLL Search Order to load a... - Quickpost: .LNK Template Update
I updated my .LNK template with info I got from comments from WndSks and Forrest Gump. This new version identifies well-known Shell GUIDs:
Quickpost info
View full post on Didier Steven... - Quickpost: 2 .LNK Tools
Microsoft has issued an emergency patch (MS10-046) for the .LNK file vulnerability (CVE-2010-2568).
I’m releasing two small tools I developed to help me investigate this vulnerability.
First one... - Mitigating .LNK Exploitation With Ariad
Today I tested @Ivanlef0u ‘s .LNK PoC with my latest Ariad tool.
I adapted the PoC to work on a CD-ROM for drive D. When you load the CD-ROM with the PoC (I use an ISO file inside a VM) and take... - Quickpost: Preventing the /Launch Action “cmd.exe” Bypass
Adobe has released a new Adobe Reader version that contains functionality to block my /Launch action PoC, but Bkis found a bypass: just put double quotes around cmd.exe, like this: “cmd.exeR... - Quickpost: No Escape From PDF
Adobe has released a new Adobe Reader version with a fix for my /Launch action PoC PDF.
Before version 9.3.3:
Since version 9.3.3:
Not only is the dialog box fixed, but the /Launch action is also di...
Posted on 27 August 2010. Tags: Ariad, preloading, Quickpost
this protects against the dropped DLL’s against but not aainst the DLL’s that are malicious but that are already integrated into the software ‘or the update’. Also this starts from the opinion that dll’s have to be dropped from half external sources, but what with the millions of PC that are already under control of botnets. The problem is that one has to be able to identify (md5 ?) all different parts of the software as being genuine.
I also think there are some smarter ways to include malicious dll’s in programs but I think that it is not so easy to do this a very smart way although with social engineering and ‘actwriting’ (writing your attack scenario as if it was a film) one should be able to set up an attack that could compromise even very important infrastructures – although it will depend on the individual rights and functions of the specific vulnerable because malplaced DLL. I am thinking about the vulnerable Putty, Cisco network tools and probably some security software or banking and identification software.
We all presume that these are very secure but they seem not to be programmed according to the rules.
Len