DLL Hijacking Exploit – All at One Place

The web is full of recent DLL Hijacking Exploit after HDMoore and other security researchers have reported about numerous Windows applications suffering  from these flaws.  Here I have decided to put together simple version with all the relevant links at one place so that one gets the complete picture.


What is DLL Hijacking Vulnerability ?

In simple words, DLL Hijacking is the vulnerability which can be used to make any vulnerable Windows application to load malicious DLL by exploiting its DLL search order mechanism there by taking complete control over the system. Attacker can trick the user to open the documents/video/movies from the remote share where user can place malicious version of legitimate DLL. So when user launches the application to view such remote content, application will load these malicious DLLs instead of original DLL.

This issue is not new and has been there since the early days of Windows, but it has gained more limelight while researchers discover more number of applications vulnerable to it though various mechanisms. Though Microsoft has documented about these implications in the MSDN, there are many vulnerable applications around.


How it Works ?

Here is the very good video demonstration created by Offensive-Security which explains how one can easily lure victims to fall for this exploit using Metasploit.

KB: We can’t fix this one – Microsoft DLL Hijacking Exploit from Offensive Security on Vimeo.


What is the Workaround/Solution ?

Microsoft has released an Security Advisory citing this problem and mentioning about these mitigations

  • Disable loading of libraries from WebDAV and remote network shares
  • Disable the WebClient service
  • Block TCP ports 139 and 445 at the firewall

Microsoft has also introduced new registry key CWDIllegalInDllSearch to safeguard individual or All applications from this vulnerability. Below is the link to KB article

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm


What Developers Can do  to Safeguard their Applications ?
Microsoft has outlined several security measures for Developers to prevent this remote DLL loading vulnerability.  Here is the article which explains everything about DLL Security mechanisms,

Dynamic-Link Library Security


How can I play with this DLL-Hijacking Vulnerability ?

Metasploit has already released ‘webdav_dll_hijacker’ exploit to pen test against this DLL Hijacking vulnerability which can be further used to understand and demonstrate this vulnerability. Here is the blog article from Metasploit which explains the entire exploitation process,

Exploiting DLL Hijacking Flaws

Even you can refer to above video presentation to understand how it works before you play with it.


Similar posts
  • Computer Security Tips: Stay Safe Onl... In recent times cyber security has raised the level of awareness and public consciousness as never before. Both large corporations and big organizations try to take care of online security as much as they can. That’s why cyber criminals and hackers have focused more on smaller companies and single entrepreneurs. This awful tendency leads to [...]
  • SecurityXploded Mentorship Programme ... I am writing this blog to share my SecurityXploded Student Mentorship Programme experience with the future students of this programme. My mentorship programme started last year in August when I was in 2nd year of MS at IIIT-Allahabad. I knew about SecurityXploded community since I used to follow their blogs, training programmes and security tools [...]
  • Code Injection and API Hooking Techni... Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different [...]
  • Announcement – SecurityXploded ... From the past two years we are working actively on couple of projects to support the security community. As you all may already know that we have successfully completed our reversing and malware analysis training programme and we are very glad that it was very helpful for everyone. In my opinion the success of any [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat [...]

Leave a Reply