Computer Security
[EN] securityvulns.ru no-pyccku


Microsoft Windows multiple applications DLL hijacking
updated since 26.08.2010
Published:19.12.2011
Source:
SecurityVulns ID:11096
Type:client
Threat Level:
6/10
Description:If application is launched via file type association, current path is set to the path file is located, making it's possible to place DLLs application tries to load dynamically into same directory.
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
 PLOTSOFT : PDFill PDF Editor 8.0
 EMC : RSASecurID Software Token 4.1
CVE:CVE-2011-4141 (Untrusted search path vulnerability in EMC RSA SecurID Software Token 4.1 before 4.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a Software Token file.)
 CVE-2011-2016 (Untrusted search path vulnerability in Windows Mail and Windows Meeting Space in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .eml or .wcinv file, aka "Windows Mail Insecure Library Loading Vulnerability.")
 CVE-2011-1991 (Multiple untrusted search path vulnerabilities in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allow local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .rtf, or .txt file, related to (1) deskpan.dll in the Display Panning CPL Extension, (2) EAPHost Authenticator Service, (3) Folder Redirection, (4) HyperTerminal, (5) the Japanese Input Method Editor (IME), and (6) Microsoft Management Console (MMC), aka "Windows Components Insecure Library Loading Vulnerability.")
 CVE-2010-3199 (Untrusted search path vulnerability in TortoiseSVN 1.6.10, Build 19898 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a file that is processed by Tortoise. NOTE: this is only a vulnerability when a file extension is associated with TortoiseProc or TortoiseMerge, which is not the default.)
Original documentdocumentEMC, ESA-2011-039: RSA(r), The Security Division of EMC, announces security fixes and improvements for RSASecurID(r) Software Token 4.1 for Microsoft(r)Windows(r) (19.12.2011)
 documentrobkraus_(at)_soutionary.com, Foxit Reader Insecure Library Loading (22.07.2011)
 documentrobkraus_(at)_solutionary.com, PDFill Insecure Library Loading (10.06.2011)
 documentMitja Kolsek, Silently Pwning Protected-Mode IE9 and Innocent Windows Applications (08.05.2011)
 documentNSO Research, NSOADV-2010-010: DATEV Multiple Applications DLL Hijacking Vulnerability (24.01.2011)
 documentACROS Security, ASPR #2011-01-11-1: Remote Binary Planting in Multiple F-Secure Products (13.01.2011)
 documentapa-iutcert_(at)_nsec.ir, Google Desktop Insecure Library Loading Vulnerability (30.11.2010)
 documentapa-iutcert_(at)_nsec.ir, AOL Instant Messenger Insecure Library Loading Vulnerability (30.11.2010)
 documentSalvatore "drosophila" Fresta, Audacity <= 1.3 Beta Multiple Local Vulnerabilities (02.11.2010)
 documentapa-iutcert_(at)_nsec.ir, ACDSee Photo Manager Insecure Library Loading Vulnerability (28.10.2010)
 documentapa-iutcert_(at)_nsec.ir, FlipAlbum Vista Pro Insecure Library Loading Vulnerability (28.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Internet Download Manager Insecure Library Loading Vulnerability (28.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Nessus Client Insecure Library Loading Vulnerability (28.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Orbit Downloader Insecure Library Loading Vulnerability (28.10.2010)
 documentapa-iutcert_(at)_nsec.ir, WinMerge Insecure Library Loading Vulnerability (28.10.2010)
 documentACROS Security, Breaking The SetDllDirectory Protection Against Binary Planting (28.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Secunia PSI Insecure Library Loading Vulnerability (28.10.2010)
 documentACROS Security, How Visual Studio Makes Your Applications Vulnerable to Binary Planting (26.10.2010)
 documentindoushka salah el ddine, Microsft COFEE v1.1.2 DLL Hijacking Exploit (19.10.2010)
 documentindoushka salah el ddine, Vuris win32 mabezat DLL Hijacking Exploit (19.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Accounting Pro 2003 Insecure Library Loading Vulnerability (19.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Rafe 7 Insecure Library Loading Vulnerability (19.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Brilliant Accounting System (59) Insecure Library Loading Vulnerability (19.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Sahar Money Manager Insecure Library Loading Vulnerability (19.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Holoo Insecure Library Loading Vulnerability (19.10.2010)
 documentapa-iutcert_(at)_nsec.ir, Xilisoft Video Converter Ultimate Insecure Library Loading Vulnerability (19.10.2010)
 documentYGN Ethical Hacker Group, Moovida Media Player version 2.0.0.15 Insecure DLL Hijacking Vulnerability (libc.dll,quserex.dll) (02.09.2010)
 documentYGN Ethical Hacker Group, KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll) (02.09.2010)
 documentnikhil_uitrgpv_(at)_yahoo.co.in, Tortoise SVN DLL Hijacking Vulnerability (02.09.2010)
 documentinfo_(at)_securitylab.ir, Microsoft Windows wscript.exe (XP) DLL Hijacking Exploit (wshfra.dll) (31.08.2010)
 documentYGN Ethical Hacker Group, QtWeb Browser version 3.3 build 043 Insecure DLL Hijacking Vulnerability (wintab32.dll) (30.08.2010)
 documentYGN Ethical Hacker Group, Maxthon Browser version 2.5.15.1000 Insecure DLL Hijacking Vulnerability (dwmapi.dll) (30.08.2010)
 documentYGN Ethical Hacker Group, Notepad++ version 5.7 Insecure DLL Hijacking Vulnerability (30.08.2010)
 documentglafkos_(at)_astalavista.com, Flash Player 9 DLL Hijacking Exploit (schannel.dll) (30.08.2010)
 documentglafkos_(at)_astalavista.com, Skype <= 4.2.0.169 DLL Hijacking Exploit (wab32.dll) (30.08.2010)
 documentMICROSOFT, Microsoft Security Advisory (2269637) Insecure Library Loading Could Allow Remote Code Execution (29.08.2010)
 documentCERT, US-CERT Technical Cyber Security Alert TA10-238A -- Microsoft Windows Insecurely Loads Dynamic Libraries (29.08.2010)
 documentglafkos_(at)_astalavista.com, TeamViewer <= 5.0.8703 DLL Hijacking Exploit (dwmapi.dll) (26.08.2010)
 documentglafkos_(at)_astalavista.com, Firefox <= 3.6.8 DLL Hijacking Exploit [dwmapi.dll] (26.08.2010)
 documentglafkos_(at)_astalavista.com, Adobe Device Central CS5 DLL Hijacking Exploit (qtcf.dll) (26.08.2010)
 documentglafkos_(at)_astalavista.com, Adobe Premier Pro CS4 DLL Hijacking Exploit (ibfs32.dll) (26.08.2010)
 documentglafkos_(at)_astalavista.com, Adobe Illustrator CS4 DLL Hijacking Exploit (aires.dll) (26.08.2010)
 documentglafkos_(at)_astalavista.com, Adobe InDesign CS4 DLL Hijacking Exploit (ibfs32.dll) (26.08.2010)
 documentglafkos_(at)_astalavista.com, Adobe On Location CS4 DLL Hijacking Exploit (ibfs32.dll) (26.08.2010)
Files:Microsoft Security Advisory (2269637) Insecure Library Loading Could Allow Remote Code Execution
 A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm
 Microsoft Security Bulletin MS11-059 - Important Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)
 Microsoft Security Bulletin MS11-071 - Important Vulnerability in Windows Components Could Allow Remote Code Execution (2570947) Published: Tuesday, September 13, 2011

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod