The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This is being abused by computer criminals.
The Microsoft Security Response Center has written about the issue :
"Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately."
Microsoft also has published some Registry tweaks which can change the default DLL library search behavior:
http://support.microsoft.com/kb/2264107
Testing the Exploit:
Ok let us try to employ this exploit on "Media Player Classic".
Write a dll of your own. If don't know how to write a dll you can get it from the link below.
http://www.filefactory.com/file/b32433b/n/iacenc.rar
http://rapidshare.com/files/416173663/iacenc.rar
I assume that you have Media player classic being installed in your machine.
Rename the dll as "iacenc.dll". Place it in a directory with any media file that can be played by Media player Classic.
Now open the media file and see the magic.
This exploit can be used by malware writers to spread their malware. So security professionals are expected to get updated knowledge on this exploits. To check on what priority applications load a dll you can use Sysinternal's FileMon tool.
