Skip to main content

Posts

Showing posts from August, 2010

DLL Preloading - Update Microsoft Recommendation

UPDATE September 2nd 2010 - Microsoft has issued new updated guidance and a new tool to help customers manage this within their environments.   This new tool helps configure environments to address the root cause of the issue, while software vendors update applications.  Highly recommend that organizations examine and use this tool to prevent exploitation.

As with most reported vulnerabilities Microsoft has issued a response to the DLL Preloading issue that has been hotly discussed.  Their advisory is interesting;

1.  First they recommend disallowing outbound SMB and WEBDAV access (at the firewall) to prevent users from making preloading connections out to the Internet.  This is a solid recommendation, but more in terms of general guidance instead of specifically to this issue.  The problem is that a malicious user could simply zip up the affected document with a copy of the dll and the user would be able to load it locally - hdmoore provides an audit kit that even builds the dll and sa…

Windows DLL Injection Vulnerability

Most of the security world has now heard about the vulnerability that was reported by hdmoore regarding the linking of malicious dll files by using remote shares in the windows filesystem.  This issue has also been discussed at slashdot by many users.
Since metasploit is constantly updated with the latest public exploits, I decided to try this one out to see how easy it really is on the Windows 7 platform.  Here is the coles notes and results of my attempts.
1.  Prep my test environment.  I use a Windows 7 box fully patched running Windows Defender as my primary Windows work environment.  I also have the convenience of using VMware fusion to virtualize the environment so it was easy to clone my installation to create a sample copy.  I made sure to use the host-only networking so I can isolate the Windows box with metasploit.
2.  I updated my metasploit environment running on my OSX host.  A quick svn update gave me the latest code.  Version 10133 checked out.
3.  I opened msfconsole and l…