exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LoadLibrary.txt

LoadLibrary.txt
Posted Feb 9, 2004
Authored by OS Security | Site ossecurity.ca

A LoadLibrary / LoadLibraryEx weakness makes SSL on Internet Explorer very vulnerable to a DLL proxy attack. If exploited, unencrypted data can be intercepted before Internet Explorer uses the SSL module to encrypt the data.

tags | advisory
SHA-256 | 603b345a2df31ce2b2a3c2928ac1cc29651e2a412f6171ef68b66484970e4e16

LoadLibrary.txt

Change Mirror Download
Topic
LoadLibrary / LoadLibraryEx Weakness

Release Date:
February 9, 2004

Date Reported:
Reported to Microsoft on December 9, 2003

Severity:
Medium (Interception of SSL traffic, RSA encryption, and others)

Systems Affected:
Windows 95, 98, ME;
Windows NT, 2000, XP, 2K3 (ACL limitations apply)

Summary:
A LoadLibrary / LoadLibraryEx weakness makes SSL on Internet Explorer very
vulnerable to a “DLL proxy” attack. If exploited, unencrypted data can be
intercepted before Internet Explorer (IE) uses the SSL module to encrypt the
data. Therefore, confidential information such as bank accounts and
passwords could be stolen. Many applications are vulnerable to “DLL proxy”
attack with different ramifications.

Description:
There is a system-wide Win32 weakness on Windows platforms. It is a
LoadLibrary / LoadLibraryEx weakness attributed to how it dynamically
searches and loads DLLs into processes.

(Reference: the documentation for LoadLibrary / LoadLibraryEx from Microsoft
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/bas
e/loadlibrary.asp - When no path is specified for calling LoadLibrary /
LoadLibraryEx the system searches the directory from which the application
is loaded first, before it searches the system or other directories.)

Microsoft has provided mitigation such as Access Control List (ACL) for
program folders using NTFS. But this mechanism can only protect a limited
segment of WINDOWS users against this “DLL proxy” attack. For example, XP
Home Edition (SP1) is installed by default with administrator privileges for
accounts and therefore ACL for program folders are wide open to be modified.
Many Windows platforms use an un-secured file system such as FAT or FAT32
without ACL protection.

To exploit this weakness, a malicious DLL module can be introduced to the
directory for a targeted application such as IE. When the application
intends to load a DLL from the system directory, it instead loads a
malicious DLL module from the application directory. The malicious DLL
module intercepts all the function calls originally intended for a DLL, such
as wintrust.dll, located in the system folder. This kind of operation has
been termed “DLL proxy” by some in the past.

OS Security has verified this weakness in IE, on Windows NT, 2000, XP:

I. Malicious DLL can be delivered using the following typical ‘delivery
techniques’:
1. Any un-patched remotely exploitable BOF vulnerability;
2. Any new program users download and run from the Internet; and
3. Any un-patched web-browser vulnerability allowing targeted file saving
within scripts.

II. Using this malicious DLL to exploit this Win32 system-wide vulnerability
as described above to:
1. Log and send out so-called “secured” SSL traffic in its unencrypted HTML
format to others on the Internet;
2. Intercept plain messages before RSA encoding and after RSA decoding and
send out the plaint text out;
3. Plant delayed DoS scheme;
4. Launch viruses/worms within normal processes as threads, and etc.

For additional details please contact: info@ossecurity.ca or visit
www.ossecurity.ca

Recommended Protection:
· Migrate from Windows 9X to a securable Windows platform such as Windows
NT, 2K, XP and follow proper security configurations to enable Access
Control List protection to mitigate “DLL Proxy” attack. For daily normal
usage, do not use an account with administrative privileges.
· Use other Web browsers than Internet Explorer to do online transactions on
Windows 95, 98 or ME;
· Download a free Secure Transaction Module (STM) program from OS Security,
Inc. to verify whether Internet Explorer is under “DLL Proxy” attack every
time when IE is used to do online transaction. Click
http://www.ossecurity.ca/code/getdl.php?ID=5002&Code=4567 to download; or
· Consider using other operating systems such as Linux as an alternative to
do online secure transactions or perform sensitive data processing.

Vendor Status:
Microsoft was informed of this weakness in December 2003. As of February 5,
2004, Microsoft has not provided any indication that they intend to provide
any remedies for the affected Windows configurations.

Copyright (c) 2003-2004 OS Security, Inc.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
OS Security, Inc.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

OS Security, Inc.
http://www.ossecurity.ca
info@ossecurity.ca
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close