Re: Windows Mail Find People DLL side loading vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Stefan,

See below.

On 09-03-16 13:18, Stefan Kanthak wrote:

"Securify B.V." wrote:

------------------------------------------------------------------------
Windows Mail Find People DLL side loading vulnerability
------------------------------------------------------------------------
Yorick Koster, September 2015


This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!

"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via
     LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
to avoid the call of its DllMain() startup code!
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>

JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!

Either
     LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
or
     LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
were sufficient to avoid this vulnerability.


------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Microsoft released MS16-025 that fixes this vulnerability.

Have you checked how Microsoft fixed it?
Did they exercise all due diligence now, practised defense in depth
and replaced the call to
     LoadLibrary("wab32res.dll")
with a call to
     LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?
They still use LoadLibrary() to load wab32res.dll. Previously, the fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended wab32res.dll to the result, which was fed into LoadLibrary().
With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By default DLLPath is set to %CommonProgramFiles%\System\wab32.dll, PathRemoveFileSpec() removes wab32.dll from the path. They also call ExpandEnvironmentStrings(), but that was also the case previously. 

With kind regards,

Yorick
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux