Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24609
HistoryAug 29, 2010 - 12:00 a.m.

US-CERT Technical Cyber Security Alert TA10-238A -- Microsoft Windows Insecurely Loads Dynamic Libraries

2010-08-2900:00:00
vulners.com
11
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                National Cyber Alert System

          Technical Cyber Security Alert TA10-238A

Microsoft Windows Insecurely Loads Dynamic Libraries

Original release date: August 26, 2010
Last revised: –
Source: US-CERT

Systems Affected

 Any application running on the Microsoft Windows platform that
 uses dynamically linked libraries (DLLs) may be affected. Whether
 or not an application is vulnerable depends on how it
 specifically loads a DLL. Please see the Vendor Information
 section of Vulnerability Note VU#707943 for information about
 specific vendors.

Overview

Due to the way Microsoft Windows loads dynamically linked libraries
(DLLs), an application may load an attacker-supplied DLL instead of
the legitimate one, resulting in the execution of arbitrary code.

I. Description

Microsoft Windows supports dynamically linked libraries (DLLs) that
are loaded when needed by an application. DLLs are typically loaded
when the application is first started; however DLLs may be loaded
and unloaded while the application is running. An application can
request a DLL file in a variety of ways, and Windows uses several
different search algorithms to find DLL files. The interaction
between the application and Windows can result in a DLL file being
loaded from the current working directory of the application,
instead of the Windows system directory or the directory where the
application is installed.

The current working directory could be the desktop, a removable
storage device such as a USB key, a Windows file share, or a WebDAV
location. When a file associated with an application is opened, a
DLL in the same directory as the file may be loaded. Although an
attacker may not have permission to write to the Windows system or
application directories, the attacker may be able to write a DLL to
a directory used to store files, or the attacker could provide
their own directory.

Attacks against this type of vulnerability have been referred to as
"binary planting." Please see Vulnerability Note VU#707943 and
Microsoft Security Advisory 2269637 for more information.

II. Impact

By placing a DLL with the correct name (and possibly the relative
directory path) in the current working directory, an attacker could
execute arbitrary code with the privileges of the application that
loads the DLL.

III. Solution

Individual applications that run on the Windows platform may
require patches or updates. Microsoft Knowledge Base article
KB2264107 describes an update that provides a registry key that can
prevent Windows from searching the current working directory for
DLL files.

Information about specific solutions for different vendors, general
mitigation techniques, and secure ways for applications to load
DLLs can be found in the Vendor Information and Solution sections
of Vulnerability Note VU#707943.

IV. References

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA10-238A.html>

Feedback can be directed to US-CERT Technical Staff. Please send
email to <[email protected]> with "TA10-238A Feedback VU#707943" in
the subject.

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html&gt;.

Produced 2010 by US-CERT, a government organization.

Terms of use:

 &lt;http://www.us-cert.gov/legal.html&gt;

Revision History

August 26, 2010: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTHbPuj6pPKYJORa3AQI0Rwf+JjLbBdWxKa+8pzCefxhs+maIjzihg/vN
ZNF90uuFgMAdIrTD7+Qlv6TUc3ep/O28Dg11K8rXaOfxeyPsItMwpbz7vrpoUC5W
qvu6pYQnmhW/egryPPC8cwFecuDaTNNWDShwQ8oULXnp2mfj9q3LUvVOvLXaiwXs
rivmLthvhCjWBYpYFBb9yHjHOcQd4JQ0LS4A4BRzXGKTTgMnRvawPeHFQvsMlR0M
plrIJ4Lht3eOis97Rot9BIIcYytM74ctz6TwCwOz5JPTA1ncikEzoLhaKCQ2egpq
GmyjcQLo83JWRxDkBE9EkBhkpOjyhsvpVLZoJrqpkwKtJMUVeLcBBw==
=M/vJ
-----END PGP SIGNATURE-----

JSON