Hacking toolkit publishes DLL hijacking exploit

Attacks against vulnerable Windows apps likely within weeks

The appearance Monday of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will likely start hammering on PCs shortly, security experts said.

The appearance Monday of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will probably start hammering on PCs shortly, security experts argued.

"Once it makes it into Metasploit, it doesn't take much more to execute an attack," said Andrew Storms, director of security operations for nCircle Security. "The hard part has already been done for [hackers]."

Storms was referring to the release earlier today of exploit code by HD Moore, the creator of the Metasploit open-source hacking toolkit.

Moore also issued an auditing tool that records vulnerable applications, information which can then be used to launch the exploit code that Moore crafted and added to Metasploit.

Together, the tool and exploit create an effective "point-and-shoot" attack, said Moore.

"With it in Metasploit, people will definitely be looking at these [vulnerabilities]," said Wolfgang Kandek, CTO at Qualys. "They gain a lot of visibility once in Metasploit, and I'd expect to see some kind of public exploit in the next couple of weeks."

According to reports that first appeared last week, developers, including Microsoft's, have misused a crucial function of Windows, leaving a large number of Windows programs vulnerable to attack because of the way they load components.

Many Windows programs can be exploited simply by tricking users into visiting malicious Web sites or opening malformed documents because of the way the software loads code libraries -- dubbed "dynamic-link library," or ".dll" in Windows -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for those files, they can hijack the PC.

Moore was the first to broach the subject last week when he announced he'd found 40 vulnerable Windows applications . He was quickly followed by others who claimed different numbers, ranging from over 200 to fewer than 30.

Both Moore and Kandek said that they expect Microsoft to issue an advisory later today that will include defensive workarounds but not a true patch. The latter, Kandek said today -- and Moore said last week -- isn't feasible since the vulnerabilities are in each application's code, not in Windows itself.

"They'll probably give some workarounds and advice, such as to avoid loading DLLs from a network share or WebDAV," said Kandek, referring to the technology built into Windows that allows for file sharing and collaboration on the Web. "I expect that they'll have some kind of tool that will turn off the loading of [DLLs] from WebDAV shares."

Fixes for the vulnerabilities may take months, said the experts. "This could turn into an issue like ATL," said Storms, talking about the bug in Active Template Library, a Microsoft-provided code library that had to be patched two summers ago. Then, too, developers, including Microsoft's, had to patch their programs individually.

"Like with ATL, it may take some time to see what's affected," Storms added.

One thing Storms and Moore both hoped to find out later today is which applications of its own that Microsoft would acknowledge being flawed. "The real question will be what Microsoft apps are affected, and whether they'll address the specifics," said Storms.

Moore was harsher. "Their statements have been disingenuous," he said, of the comments the company reportedly made to University of California Davis Ph.D. candidate Taeho Kwon when he contacted the firm in August 2009 about vulnerabilities he'd uncovered. "They knew then that at least some of their apps were vulnerable."

According to Moore, at least one Microsoft filetype can be exploited to hijack a PC using a DLL-loading bug.

Moore also published a detailed description of the vulnerability, which he dubbed "application DLL load hijacking," as well as some defensive measures users can take, in a Monday entry to the Rapid7 blog.

"I'd disable SMB and disable the Web client in Windows pronto," said Storms.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

This story, "Hacking toolkit publishes DLL hijacking exploit" was originally published by Computerworld .

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies