A+ R A-

Microsoft Security Advisory (2269637): Insecure Library Loading Could Allow Remote Code Execution - Version: 13.0

Where can developers find guidance on how to avoid this issue? 
As of June 14, 2011, the update in Microsoft Knowledge Base Article 2533623[1] implements Application Programming Interface (API) enhancements in Windows to help developers correctly and securely load external libraries. Developers should follow the guidance provided in Microsoft Knowledge Base Article 2533623[2] to take advantage of the API enhancements provided by the update.

Microsoft has also published the MSDN article, Dynamic-Link Library Security[3], which describes the various Application Programming Interfaces (APIs) available on Windows that allow developers to correctly and securely load external libraries.

Microsoft is working with developers through the Microsoft Vulnerability Research Program to share information with them on how to prevent this vulnerability in their products. Software vendors and ISVs that have questions on the mitigations available in Windows for this issue are invited to contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it [4] for additional mitigation information.

What is the scope of the issue?
Microsoft is aware of research published by a number of security researchers that describes a new remote attack vector for this known class of vulnerabilities. Applications are affected when they insufficiently qualify the path of an external library.

What causes this threat? 
This exploit may occur when applications do not directly specify the fully qualified path to a library it intends to load. Depending on how the application is developed, Windows, instructed by the application, will search specific locations in the file system for the necessary library, and will load the file if found.

Some Application Programming Interfaces (API), such as SearchPath, use a search order that is intended for documents and not application libraries. Applications that use this API may try to load the library from the Current Working Directory (CWD), which may be controlled by an attacker. Other APIs may also lead to similar behavior, when used in specific ways described in the MSDN article, Dynamic-Link Library Security[5].

In the case of network shares, such as WebDAV or SMB, an attacker who can write to this location could upload a specially crafted library. In this scenario, the application attempts to load the specially crafted library, which can then execute arbitrary code on the client system in the security context of the logged-on user.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights as a logged-on user. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In some cases, an attacker who already has access to a local folder on the system could use a DLL preloading vulnerability in a local application running with elevated privileges to elevate his access to the system.

How could an attacker exploit this vulnerability? 
This vulnerability requires that the attacker convince the user to open a file using a vulnerable program, from a remote network location. When the application loads one of its required or optional libraries, the vulnerable application may attempt to load the library from the remote network location. If the attacker provides a specially crafted library at this location, the attacker may succeed at executing arbitrary code on the user's machine.

What are the remote attack vectors for this vulnerability?
This vulnerability can be exploited over network file systems such as (but not limited to) WebDAV and SMB. An attacker can offer a file for download over any such protocol. If the application used to open this file does not load external libraries securely, the user opening that file could be exposed to this vulnerability.

Is this a security vulnerability that requires Microsoft to issue a security update? 
This vulnerability may require third-party vendors to issue a security update for their respective affected applications. As part of this security advisory, Microsoft is releasing an optional mitigation tool that helps customers address the risk of the remote attack vector through a per-application and global configuration setting.

Microsoft is also investigating whether any of its own applications are affected by DLL preloading vulnerabilities and will take appropriate action to protect its customers.

What is a Dynamic Link Library (DLL)?
A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Therefore, each program can use the functionality that is contained in this DLL to implement an Open dialog box. This helps promote code reuse and efficient memory usage.

By using a DLL, a program can be modularized into separate components. For example, an accounting program may be sold by module. Each module can be loaded into the main program at run time if that module is installed. Because the modules are separate, the load time of the program is faster, and a module is only loaded when that functionality is requested.

What is Web-based Distributed Authoring and Versioning (WebDAV)?
Web-based Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Integrated into IIS, WebDAV allows clients to do the following:

  • Manipulate resources in a WebDAV publishing directory on your server. For example, users who have been assigned the correct rights can copy and move files around in a WebDAV directory.
  • Modify properties associated with certain resources. For example, a user can write to and retrieve a file's property information.
  • Lock and unlock resources so that multiple users can read a file concurrently.
  • Search the content and properties of files in a WebDAV directory.

What is Microsoft Server Message Block (SMB) protocol?
Microsoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol used in Microsoft Windows. For more information on SMB, see MSDN article, Microsoft SMB Protocol and CIFS Protocol Overview[6].

Top of section[7]
  1. ^ Microsoft Knowledge Base Article 2533623 (support.microsoft.com)
  2. ^ Microsoft Knowledge Base Article 2533623 (support.microsoft.com)
  3. ^ Dynamic-Link Library Security (msdn.microsoft.com)
  4. ^ This e-mail address is being protected from spambots. You need JavaScript enabled to view it (technet.microsoft.com)
  5. ^ Dynamic-Link Library Security (msdn.microsoft.com)
  6. ^ Microsoft SMB Protocol and CIFS Protocol Overview (msdn.microsoft.com)
  7. ^ Top of section (technet.microsoft.com)

Authors: Microsoft

Read Full Article @ Source

Got News?

Get email updates