exploit the possibilities

Microsoft Internet Explorer 11 DLL Hijacking

Microsoft Internet Explorer 11 DLL Hijacking
Posted Apr 15, 2016
Authored by Sandro Poppi

Microsoft Internet Explorer 11 ships with MSHTML.DLL referencing various DLLs which are not present on a Windows 7 SP1 installation, Windows 10 is not affected, other Windows versions have not been tested. According to "MSHTML.DLL is at the heart of Internet Explorer and takes care of its HTML and Cascading Style Sheets (CSS) parsing and rendering functionality." Every application using MSHTML.DLL directly or another DLL which incorporates MSHTML.DLL (like SHELL32.dll) is prone to binary planting.

tags | exploit
systems | windows, 7
advisories | CVE-2016-0160
MD5 | 800d6f050e911388d82ce5cf404e7e09

Microsoft Internet Explorer 11 DLL Hijacking

Change Mirror Download
Abstract
--------
Microsoft Internet Explorer 11 MSHTML.DLL Remote Binary Planting
Vulnerability
Affected Version: MSHTML.DLL 11.0.9600.18231 and probably below on
Windows 7 SP1
Vendor Homepage: http://www.microsoft.com
Severity: high
Status: fixed
CVE-ID: CVE-2016-0160

Description
-----------
Microsoft Internet Explorer 11 ships with MSHTML.DLL referencing various
DLLs which are not present on a Windows 7 SP1 installation, Windows 10
is not affected, other Windows versions have not been tested.

According to [1] "MSHTML.DLL is at the heart of Internet Explorer and
takes care of its HTML and Cascading Style Sheets (CSS) parsing and
rendering functionality."

Every application using MSHTML.DLL directly or another DLL which
incorporates MSHTML.DLL (like SHELL32.dll) is prone to binary
planting[2] (including services running as SYSTEM). So this issue is not
restricted to Microsoft applications.

In addition certain applications like Microsoft
Word/Excel/Powerpoint/Project/powershell/... as well as a certain number
of third party software are prone to remote binary planting due to using
MSHTML.DLL in some ways.

Technical Details
-----------------
MSHTML.DLL on Windows 7 SP1 has missing dependencies for the following DLLs:

API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-ERROR-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-ROBUFFER-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-STRING-L1-1-0.DLL
API-MS-WIN-SHCORE-SCALING-L1-1-1.DLL
DCOMP.DLL
IESHIMS.DLL

Since all mentioned DLLs are available on a Windows 10 installation my
assumption is that this might be due to developing for Windows 10 and
backporting to Windows 7.

Whenever an application is using MSHTML.DLL either directly or via
indirect dependencies from SHELL32.DLL for instance it tries to find
API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL using the DLL search order (see [3]).

If a user and/or a remote attacker is able to control one directory in
the system's DLL search path he can escalate privileges from user to
SYSTEM in case of a vulnerable service running as SYSTEM.

If a user is tricked to open e.g. a word document from a Windows or even
WebDAV
share holding additionally a malicious DLL named
API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL it is loaded and executed in the
user's context.

Proof-of-Concept Remote Binary Planting
---------------------------------------
1. Add a Word document to a share (e.g. hello.docx) accessible from a
vulnerableWindows installation.
2. Add a "malicious" DLL to the same directory and name it
api-ms-win-appmodel-runtime-l1-1-0.dll
3. Mount the remote Windows share on a Windows 7 PC
4. Double-Click hello.docx (with Microsoft Word or Word Viewer)
The "malicious" DLL is loaded and executed in addition to Word

Solution
--------
Microsoft published the following security advisory MS16-037 [4]

Additional Note: The issue is completely fixed only if also MS16-041
is installed [5]!

Advisory Timeline
-----------------
30. Dec 2015 - Informed Microsoft Security Response Center
31. Dec 2015 - MSRC confirmed receipt
13. Feb 2016 - Requested status update
17. Feb 2016 - MSRC confirmed issue
12. Apr 2016 - MS16-037 published
15. Apr 2016 - Public Disclosure

Author
------
Sandro Poppi <spoppi.sec@gmail.com>

References
----------
[1] https://msdn.microsoft.com/en-us/library/aa741312%28v=vs.85%29.aspx
[2]
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
[3]
https://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx
[4] https://technet.microsoft.com/en-us/library/security/ms16-037
[5] https://technet.microsoft.com/en-us/library/security/ms16-041
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close