Hi @ll, many (if not most of the) Windows system utilities and system routines (including the kernel and its subsystems) as well as many user programs (including the "shell" Windows Explorer, Windows Media Player, Internet Explorer, Microsoft Office, etc.) load libraries/satellites at runtime via filenames read from registry or .INI entries (see examples 0 to 13 below). Unfortunately, MANY of the references (about 5500 in Windows 7 x64 SP1 and about 4700 in Windows 7 x86 SP1) to libraries/satellites are made just via their filename, without their (well-known!) fully qualified path. Every application/utility/system routine that uses one of these system routines/subsystems, but has not taken precautions against loading DLLs and/or satellites from CWD (see and ) is thus susceptible to "binary planting" attacks. The VERY simple fix/mitigation: ALWAYS use the (well-known!) fully qualified path to all the libraries/satellites you reference! JFTR: almost all of the registry entries listed in the examples below can be specified as (typically) "%SystemRoot%\System32\.dll" with the REG_EXPAND_SZ data type. Timeline: 2004-08-23 informed vendor about still unfixed principal security flaws due to unqualified filenames and Windows' EXE/DLL search/load order after release of SP2 for Windows XP JFTR: Microsoft started their "trustworthy computing" initiative in 2001, and XP SP2 was supposed to eliminate many of the errors Microsoft made in previous versions of NT. 2004-08-25 vendor replies "no vulnerabilities", but forwards report to product groups/teams 2004-09-02 vendor still wont see vulnerabilities, asks for POC(s) 2008-05-30 vendors publishes 2009-04-15 vendor publishes alias plus 2010-08-23 vendor publishes and updates it over and over again since then 2010-08-24 asked vendor in response to advisory 2269637 what the product groups/teams had done in the past 6 years since my initial report to eliminate this attack vector 2010-09-04 compiled an exhaustive list with the about 5500(!) unqualified filenames (and some more errors) in the registry of Windows 7 x64 and sent it to vendor; and are the lists with major/minor errors found in the registry of Windows 7 x86 SP1 2010-09-11 asked vendor when to expect results from report sent in 2004, and when to expect a properly/thoroughly engineered Windows with "defense in depth" REALLY applied [*] 2010-09-13 vendor replied (to question from 2010-08-24): we have no feedback from the product teams 2011-09-13 vendor publishes alias 2011-12-28 vendor informs that the BSOD from example 3 was filed as a stability bug against Windows 8 2012-05-08 vendor publishes alias stay tuned Stefan [*] for (german) Windows XP Professional I provide the script that corrects the errors in the registry which remain after fixing the scripts \i386\DMREG.INF and \i386\HIVE*.INF and the errors in installed *.theme and generated DESKTOP.INI files which remain after fixing the \i386\*.TH_ files (usage instructions included in the script). PS: if you missed part 1 and/or part 2, see and Example 0: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\xxxxxxxx] "Layout File"="KBDxyz.DLL" Fixed with alias JFTR: Microsoft started their "trustworthy computing" initiative in 2001; 11 years later they still have loads of silly security holes due to their sloppy attitude! Example 1: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="explorer.exe" "Userinit"="userinit.exe" Fixed with alias JFTR: the vulnerability with "Userinit"="userinit.exe" was introduced when was applied. Example 2: NETSH.EXE [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh] ""=".dll" ... some 20 more entries ... POC: download or and store it with the name of one of the DLLs listed in the above registry key (or add a registry entry "0"="SENTINEL.DLL" resp. "0"="imm.dll" there); copy the 32-bit version of NETSH.EXE into a second directory; open a command prompt, "cd" into the directory where you downloaded the DLL; run the copy of NETSH.EXE from the command prompt and admire the application popup from the DLL.-) On 64-bit systems download and proceed like above. JFTR: if you think "ouch! how complicated" please check whether you've ever copied utilities like NETSH.EXE to another location, for instance your \\%LOGONSERVER%\NETLOGON\ share, and run them from there during logon (see and ). "Once bitten twice shy"? Not in Redmond, not at Microsoft! Example 3: the font drivers of the Win32 (kernel) subsystem [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers] "Adobe Type Manager"="atmfd.dll" JFTR: change this entry to =expand:"%SystemRoot%\\System32\\atmfd.dll", then start another user session (via fast user switching or RDP) and admire the BSOD "STOP 0x50 PAGE_FAULT_IN_NONPAGEABLE_AREA" in CSRSS.EXE due to a silly programming error in the code evaluating the environment variable %SystemRoot%. OUCH! "Adobe Type Manager"="C:\\Windows\\System32\\atmfd.dll" but works. Example 4: the SPOOLER [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Print Processors\winprint] "Driver"="winprint.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port] "Driver"="localspl.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft Shared Fax Monitor] "Driver"="FXSMON.DLL" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port] "Driver"="tcpmon.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor] "Driver"="usbmon.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\WSD Port] "Driver"="WSDMon.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\Internet Print Provider] "Name"="inetpp.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services] "Name"="win32spl.dll" JFTR: when these registry entries are changed to "<...>"=expand:"%SystemRoot%\\System32\\.dll" the SPOOLER silently fails: no port monitors and no print providers are loaded, but no event log entry is written and no other indication of the fault given to the user! "<...>"="C:\\Windows\\System32\\.dll" but works. Example 5: the RPC service/system [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols] "ncacn_ip_tcp"="rpcrt4.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions] "NdrOleExtDll"="Ole32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService] "9"="secur32.dll" Example 6: the cryptography subsystem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders] "SecurityProviders"="credssp.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity Device (Microsoft Generic Profile)] "80000001"="msclmd.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Identity Device (NIST SP 800-73 [PIV])] "80000001"="msclmd.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider] "Image Path"="basecsp.dll" ... some 100 entries more ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{guidguid-guid-guid-guid-guidguidguid}] "$DLL"="WINTRUST.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\] "$DLL"="WINTRUST.DLL" Example 7: OLE and COM [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42071714-76d4-11d1-8b24-00a0c9068ff3}\InprocServer32] @="deskpan.dll" This ONE was fixed with alias The following HUNDREDS are still lurking around and waiting to be exploited! JFTR: says: | LocalServer Specifies the full path to a 16-bit local server application. ~~~~~~~~~ | LocalServer32 Specifies the full path to a 32-bit local server application. ~~~~~~~~~ says: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID | {CLSID} | InprocServer32 | (Default) = path ~~~~ says: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID | {CLSID} | InprocServer | (Default) = path ~~~~ At Microsoft, we dont read our own documentation, we dont care! POC: download or and store it as DPNET.DLL; copy the 32-bit version of WSCRIPT.EXE or CSCRIPT.EXE into a second directory; create a file POC.VBS with the following single line: CreateObject("DirectPlay8.Peer.1") open a command prompt, "cd" into the directory where you downloaded the DLL; run the copy of WSCRIPT.EXE or CSCRIPT.EXE with POC.VBS as argument from the command prompt and admire the application popup from the DLL.-) JFTR: you can use any other program which instanciates COM objects instead of the Windows Script Host! [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000300-0000-0000-C000-000000000046}\InprocServer32] @="ole32.dll" ... some 100 entries more ... [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\InprocServer32] @=".dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\LocalServer] @=".exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{guidguid-guid-guid-guid-guidguidguid}\LocalServer32] @=".exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\InProcHandler32] @="ole32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC5DA001-7CD4-11D2-8ED9-D8C857F98FE3}\Server] @="mscorld.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFC9F9AE-E87A-3252-8E25-B22423A40065}\InprocServer32] @="mscoree.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers\MSDTC] "DLL"="MSDTCPRX.DLL" ... some 100 entries more ... [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\x.y\z\win16] @=".dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\i.j\k\win32] @=".dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{guidguid-guid-guid-guid-guidguidguid}\a.b\c\win64] @=".dll" Example 8: the group policies' client side extensions [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{guidguid-guid-guid-guid-guidguidguid}] "DisplayName"="@.dll,-100" "DllName"=expand:".dll" Example 9: directplay [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection For DirectPlay] "Gateway"="dpnhpast.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection For DirectPlay] "Path"="dpwsockx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Modem Connection For DirectPlay] "Path"="dpmodemx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Serial Connection For DirectPlay] "Path"="dpmodemx.dll" Example 10: misc. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS] "IGDSearcherDLL"="bitsigd.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin] "WUSearchLibrary"="chkwudrv.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystemUtilities] "IfsUtilExtension"="ifsutilx.dll" Example 11: TS Client [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\TransportExtensions] "Gateway"="aaclient.dll" [HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\] ""=".dll" ... [HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\\Addins\] ""=".dll" ... Example 12: MMC.EXE, the "Microsoft Management Console" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{guidguid-guid-guid-guid-guidguidguid}] "ModuleName"=".dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{guidguid-guid-guid-guid-guidguidguid}] "DescriptionIndirect"="@.dll,-123" "NameStringIndirect"="@.dll,-123" Example 13: DESKTOP.INI (folder customization), *.theme, *.LNK The shell caches the strings referenced via ="@,-123" in DESKTOP.INI and *.theme files, *.LNK etc. as well as the registry below the following registry keys: [HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache] "<...>.dll,-123"="...some string..." [HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache] "<...>.dll,-123"="...some string..." Look for yourself which files are loaded without fully qualified path! JFTR: ONLY IF resource DLLs are loaded with LoadLibraryEx() and the flag LOAD_LIBRARY_AS_DATAFILE is set (see ) there will be no call to the DllMain entry point. Counterexample: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NLS\CodePage] ""="c_.nls" The filenames specified here get prefixed with %SystemRoot%\System32\ before their use.