Kaspersky Labs DLL Hijacking

2016.01.06
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, quite some utilities offered for free by Kaspersky Lab load and execute rogue/bogus DLLs (UXTheme.dll, HNetCfg.dll, RichEd20.dll, RASAdHlp.dll, SetupAPI.dll, ClbCatQ.dll, XPSP2Res.dll, CryptNet.dll, OLEAcc.dll etc.) eventually found in the directory they are started from (the "application directory"). For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If one of the DLLs named above gets planted in the user's "Downloads" directory per "drive-by download" or "social engineering" this vulnerability becomes a remote code execution. Due to the application manifest embedded in some of the executables which specifies "requireAdministrator" or the installer detection of Windows' user account control theses installers/self-extractors are started with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of any hijacked DLL results in an escalation of privilege! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> plus <http://home.arcor.de/skanthak/sentinel.html> and the still unfinished <http://home.arcor.de/skanthak/!execute.html> for more details and why executable installers (and self-extractors too) are bad and should be dumped. Kaspersky Lab published a security advisory 2015-12-23 <https://support.kaspersky.com/vulnerability.aspx?el=12430#231215> after they made updated versions of their utilities available on <https://support.kaspersky.com/viruses/utility> stay tuned Stefan Kanthak

References:

https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html
http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html
http://seclists.org/fulldisclosure/2015/Nov/10
http://seclists.org/fulldisclosure/2015/Dec/86


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top