Update on the DLL-preloading remote attack vector

Last week, we released Security Advisory 2269637 notifying customers of a publicly disclosed remote attack vector to a class of vulnerabilities affecting applications that load dynamic-link libraries (DLL’s) in an insecure manner. At that time, we also released a tool to help protect systems by disallowing unsafe DLL-loading behavior.

Today we wanted to provide an update by answering several questions we have received from customers and addressing common misperceptions about the risk posed by this class of vulnerability.

  • The user experience of the exploit in progress
  • The dangers of untrusted, Internet-zone WebDAV
  • Enabling the CWDIllegalInDllSearch protection tool

The user experience of the exploit in progress

This class of vulnerabilities does not enable a “driveby” or “browse-and-get-owned” 0-click attack. To be exploited, a victim would need to browse to a malicious WebDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays. Let’s walk through an example of what an attack might look like:

First, the user browses to a malicious website:

The website would then attempt to display a new Windows Explorer window that points to a malicious WebDAV or SMB share. On systems running Protected Mode, Internet Explorer will require user consent to launch Windows Explorer, using a security warning like the one below. Protected Mode is enabled by default for Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

After the user allows Windows Explorer to launch (or if they have previously requested that Internet Explorer no longer display this warning), the user will be presented with a Windows Explorer dialog that is likely to look like the one below:

At this point, if the user were to double-click the data file on the share, the affected application could potentially run attacker code that is separately hosted on the same WebDAV server.

The dangers of untrusted, Internet-zone WebDAV

As described above, this class of vulnerabilities could allow malicious code to run if an attacker can convince a victim to do the following:

  • Browse to a malicious, untrusted WebDAV server in the Internet Zone; and
  • Double-click a file that appears by its extension and icon to be safe

Unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted WebDAV server in the Internet Zone and double-click on any type of files. Attackers are clever, substituting dangerous file icons with safe, trusted file icons. They have even recently begun obfuscating the filename based on character encoding tricks (such as right-to-left character encoding). Their goal is to entice unsuspecting users into double-clicking on a malicious executable. With or without this new remote vector to the DLL Preloading issue, it’s very hard to make a trust decision given the amount of control an attacker has over the malicious WebDAV server browsing experience. We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker.

Enabling the CWDIllegalInDllSearch protection tool

We have received several questions regarding the best way to enable the protection tool released on the Microsoft Download Center last week.

First, you should know that downloading and installing the tool alone will not protect a workstation from vulnerable applications. It ships “off-by-default” and must be enabled either system-wide or for specific applications. After releasing this tool, we received a number of questions on how best to deploy it. We have now updated the KB article to address them. We encourage you to review the updated knowledge base article 2264107.

Secondly, customers have asked us to recommend the best setting among the three choices. We recommend one of two settings, depending on the specific risk about which you are concerned.

  • Setting the CWDIllegalInDllSearch regkey to 2 system-wide will completely block any network-based attack. We’ve built an automated Fix-it solution to enable that. You can click the Fix-it graphic below on systems that have already installed the tool to set CWDIllegalInDllSearch = 2, blocking DLL loads from the current working directory for both WebDAV and SMB except in cases where the application is run from a WebDAV or SMB share.

Note: The Fix-it itself does not install the workaround tool. You’ll need to separately download and install the tool beforehand.

  • To instead completely block all DLL-preloading attack vectors, including the threat of malicious files on a USB thumb drive or files arriving via email as a ZIP attachment, set CWDIllegalInDllSearch to 0xFFFFFFFF. This will address any DLL preloading vulnerabilities that may exist in applications running on your system. However, it may have some unintended consequences for applications that require this behavior, so we do recommend thorough testing.

This section option can be enabled by following these steps:

  • Install the tool from KB2264107.
  • Log on to your computer as an administrator.
  • Open Registry Editor.
  • Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager
  • Right-click Session Manager, point to New, and then click Dword Value.
  • Type CWDIllegalInDllSearch, and then click Modify.
  • In the Value data box, type 0xFFFFFFFF, and then click OK.

While the impact of the above change seems to be low, a reader of this blog wrote in that he experienced a compatibility issue with the Outlook 2002 address book. If you experience issues such as this, they can be mitigated by setting a special policy for the affected binaries that overrides the default CWDIllegalInDllSearch. The following steps show how to do this for OUTLOOK.EXE:

  • Log on to your computer as an administrator.
  • Open Registry Editor.
  • Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsOUTLOOK.EXE
  • If a key with the application binary name does not exist, then you will have to create one.
  • Right-click OUTLOOK.EXE, point to New, and then click Dword Value.
  • Type CWDIllegalInDllSearch,and then click Modify.
  • In the Value data box, type 2, and then click OK.

This will still prevent OUTLOOK.EXE from loading DLL’s from a remote network share or WebDAV location, but it does not remove CWD from the library search path for this application altogether. This process can be repeated for all other applications that may no longer work correctly. As discussed, we don’t believe this will be common, but we do recommend testing.

Thanks for your interest in this issue. Please send questions in to switech@microsoft.com.

Jonathan Ness, MSRC Engineering
Maarten Van Horenbeeck, MSRC Program Manager

*Posting is provided “AS IS” with no warranties, and confers no rights.*

Original post here.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.