‘Dll Hijack’ vulnerability is one of the recently highlighted critical security issue affecting most of the popular Windows applications. Every day researchers are discovering more and more applications which are vulnerable to various forms of ‘Dll Hijacking’ and at the same time attackers have started exploiting these vulnerable applications.

.
In that event, we had developed a special tool called DllHijackAuditor to make it easy for researchers and developers to discover all the vulnerable Dlls in the application which are prone to ‘Dll Hijacking’. We have also published a video demonstration showing how easy it is to use DllHijackAuditor to uncover such issues.

.
There are mainly two types of vulnerable Dlls here, ones which are discovered at the launch time of the application and others which are discovered at later point in the application, termed as ‘Slow Hijack’ Dlls. Most of the  vulnerable applications reported so far falls into the first category, but almost no applications have been reported for second scenario.

.

About ‘Slow Dll Hijacking’ Vulnerability

‘Slow Dll Hijacking’ refers to a special case where in Application loads the vulnerable Dll at later point of time (rather than at the start) during its execution based on certain operations. Discovery of such Dlls is not easy and require complete testing of all features in the application. One may debate that such Slow vulnerable Dlls are not so important from practical attack point of view, but the possibilities cannot be ruled out and it varies from application to application. History has often shown us that often attackers are more innovative/creative than their counter parts.

.

.

From a Developer or Organization perspective, it is important to close all such holes leading to Dll Hijacking which may be either slow or faster as they may explode at any point of time.

.

Detecting ‘Slow Dll Hijacking’ using DllHijackAuditor

DllHijackAuditor is specially designed to discover and audit the application for ‘Slow Dll Hijack’ vulnerability. In these cases all areas of the application needs to be tested thoroughly so as to make sure that loading of Dll at any stage should not be susceptible to ‘Dll Hijacking’.  To address this scenario, DllHijackAuditor comes with settings which allows user to perform complete testing as long as they want.

When you launch DllHijackAuditor, you will see a small checkbox stating ‘Do not terminate application…” which you need to ‘Select’ so that application will not get terminated after predefined ‘wait timeout’. This will allow you to perform complete testing while DllHijackAuditor waits in the background and displays any of the discovered vulnerable Dlls.

During next phase of exploitation testing, you have to select that check box again and repeat same sequence of operations which will trigger the application to load the same Dll. This will ensure if the particular Dll is really exploitable to ‘Dll Hijacking’ issue like in normal cases.

.

Video Demonstration

Here is the short video demonstration which shows how one can use DllHijackAuditor to uncover ‘Slow Dll Hijack’ Vulnerability present at various corners of the Application.

.

.

In the above Video, we have used WireShark to demonstrate the discovery of ‘Slow Dll Hijack’ vulnerability. In the first part of the video, it shows normal ‘Dll Hijack’ issue with ‘airpcap.dll’ discovered at the launch time of WireShark.

In the second part it demonstrates discovery of Dlls vulnerable to ‘Slow Dll Hijacking’.  Here we select the application as usual and then set ‘Do not terminate application…’ so that we will get ample time for our testing. Next when the application is launched, we will see the usual vulnerable Dll (airpcap.dll) as in the first phase and then we  perform certain operations like ‘opening interfaces’ in WireShark, which causes the loading of more Dlls. During this operation, DllHijackAuditor detects one more vulnerable Dll (tcapi.dll) showcasing the ‘Slow Dll Hijacking’ issue.

Though we have found only one such Dll here,  it is possible to find many such vulnerable points in any application which may not be visible at the start, but vulnerable at later point of time.

This is just small illustration how DllHijackAuditor can help in uncovering such ‘Slow Dll Hijack’ vulnerabilities in the application in addition to normal ones at the launch time, thus making sure that application is completely clean from any vulnerable points which may explode at later point of time.

.

So if you have already washed your hands thinking that you are done with cleaning your application from Dll Hijacking, Think again there may be more of them hidden beneath the ice just waiting for summer to come !

.

.