Vulnerability in Microsoft Windows XP Dbghelp.dll(version 5.x) has been exploited by malwares to thwart debugging by researchers. The Dbghelp.dll is the Windows Image Helper dynamic linking library. This dll was being used by almost all the debuggers and disassemblers. The code that reads export function name fails to check the function name length before moving the data into the stack.
The malware authors have exploited this Remote code execution vulnerability with a specially crafted executable file with malicious export table. The exploit code exits the Olly debugger while it was trying to load this executable. Certain IRC bots are coming with this anti debugging(loading) protection. The latest version of Olly Debugger comes with this vulnerable dll.
To exploit this vulnerability the export function name must be greater than 2104 bytes. The interesting thing is malwares are coming with export function name longer than this size. The malware which I have seen had TLS call back function. The malware author tried to hide this exploitation trick by setting a TLS call back function so as to make us think the anti debugging trick would be lying in TLS function. The IDA pro debugger version 5.1.x itself is using the Dbghelp.dll version 6.x. I don't know what version of this dll other debuggers are using.
I kindly request the malware reversers particularly those who use Olly debugger to reverse malwares to use the new version of Dbghelp.dll(6.x and above).
Wednesday, November 10, 2010
Friday, September 3, 2010
Applications vulnerable to Dll Hijacking
These are all the list of applications (along with dll name) that are vulnerable to Dll Hijacking attack in windows.
For more Information about Dll Hijacking take a look at my previous posting on Dll preloading.
* ArchiCad 13.00 (srcsrv.dll)
* Nokia Suite contentcopier (wintab32.dll)
* Nokia Suite communicationcentre (wintab32.dll)
* Sony Sound Forge Pro 10.0 (MtxParhVegasPreview.dll)
* Camtasia Studio 7 (mfc90enu.dll, mfc90loc.dll)
* Media Player Classic v1.3.2189.0 (ehtrace.dll)
* Microsoft Help and Support Center (wshfra.dll)
* Microsoft Clip Book Viewer (mfaphook.dll)
* Real Player 1.1.5 Build 12.0.0.879 (wnaspi32.dll)
* SiSoftware Sandra (dwmapi.dll)
* SMPlayer v0.6.9 (wintab32.dll)
* Winmerge v2.12.4 (MFC71ESN.DLL)
* Steam Games (steamgamesupport.dll)
* UltraISO Premium 9.36 .isz (daemon.dll)
* wscript.exe (XP) (wshfra.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Daemon tools lite .mds (mfc80loc.dll)
* Google Earth v5.1.3535.3218 .kmz (quserex.dll)
* Nullsoft Winamp 5.581 .cda (wnaspi32.dll)
* Media Player Classic 6.4.9.1 .mka (iacenc.dll)
* Corel PHOTO-PAINT X3 v13.0.0.576 .cpt (crlrib.dll)
* CorelDRAW X3 v13.0.0.576 .cmx .csl (crlrib.dll)
* Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll)
* Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll)
* Mozilla Thunderbird ( dwmapi.dll )
* Microsoft Office PowerPoint 2007 (rpawinet.dll)
* Roxio MyDVD 9 (HomeUtils9.dll)
* Windows Internet Communication Settings (schannel.dll)
* Microsoft Windows Contacts (wab32res.dll)
* Adobe InDesign CS4 (ibfs32.dll)
* Cisco Packet Tracer 5.2 (wintab32.dll)
* Nvidia Driver (nview.dll)
* Adobe Illustrator CS4 (aires.dll)
* Adobe On Location CS4 (ibfs32.dll)
* Adobe Premier Pro CS4 (ibfs32.dll)
* Roxio Creator DE (HomeUtils9.dll)
* Skype <= 4.2.0.169 (wab32.dll)
* Mediaplayer Classic 1.3.2189.0 (iacenc.dll)
* TechSmith Snagit 10 (Build 788) (dwmapi.dll)
* Ettercap NG-0.7.3 (wpcap.dll)
* Microsoft Group Convertor .grp (imm.dll)
* Safari v5.0.1 (dwmapi.dll)
* Adobe Device Central CS5 (qtcf.dll)
* Microsoft Internet Connection Signup Wizard (smmscrpt.dll)
* InterVideo WinDVD 5 (cpqdvd.dll)
* Roxio Photosuite 9 (homeutils9.dll)
* Microsoft Vista BitLocker Drive Encryption (fveapi.dll)
* VLC Media Player (wintab32.dll)
* uTorrent DLL Hijacking Vulnerabilities
* TeamMate Audit Management Software Suite (mfc71enu.dll)
* Microsoft Office Groove 2007 (mso.dll)
* Microsoft Address Book 6.00.2900.5512 (wab32res.dll)
* Microsoft Visio 2003 (mfc71enu.dll)
* avast! <= 5.0.594 license files (mfc90loc.dll)
* Adobe Photoshop CS2 (Wintab32.dll)
* Adobe Dreamweaver CS5 <= 11.0 build 4909 (mfc90loc.dll)
* BS.Player <= 2.56 build 1043 (mfc71loc.dll)
* Adobe Dreamweaver CS4 (ibfs32.dll)
* TeamViewer <= 5.0.8703 (dwmapi.dll)
* Microsoft Windows 7 wab.exe (wab32res.dll)
* Opera v10.61 (dwmapi.dll)
* Microsoft Windows Movie Maker <= 2.6.4038.0 (hhctrl.ocx)
* Firefox <= 3.6.8 (dwmapi.dll)
* Windows Live Email (dwmapi.dll)
* Foxit Reader <= 4.0 pdf Jailbreak Exploit
* uTorrent <= 2.0.3 (plugin_dll.dll)
* Microsoft Power Point 2010 (pptimpconv.dll)
* Wireshark <= 1.2.10 (airpcap.dll)
* Notepad++ (SciLexer.dll)
* Microsoft Power Point 2007 (pp4x322.dll)
* Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll)
* Microsoft Word 2007 (msapsspc.dll,schannel.dll, digest.dll, msnsspc.dll)
* Microsoft Powerpoint 2007 (pp7x32.dll, pp4x322.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll)
* Tftpd32 version 3.35 (IPHLPAPI.DLL)
* Microsoft ATL Trace Tool Build 10.0.30319.1 atltracetool8.exe dwmapi extention .trc
* Windows Live! Messenger (Build => 14.0.8117.416) msgsres.dll Hijacking
* Active Perl v5.12.1 (wshenu.dll)
* CATIA V5 R17 (hzs_lm.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Cool Edit Pro 2.0 (coolburn.dll)
* GOM Player 2.1.25.5015 (schannel.dll)
* MAGIX Music Studio 12 deluxe (playripla6.dll)
* Opera 10.61 (dwmapi.dll)
* TeamViewer 5 (dwmapi.dll)
* Windows Address Book (wab32res.dll)
* Java Version 6 Update 21 (schannel.dll)
* Windows Progman Group Converter (imm.dll)
* NetStumbler 0.4.0 (mfc71enu.dll)
* Windows Mail 6.0.6000.16386 (wab32res.dll)
* TeamViewer (TV.dll)
* Wireshark <= 1.2.10 (libintl-8.dll)
* Microsoft Windows Media Encoder 9 .prx (msxml.dll)
* Notepad++ V5.4.5 Dll Hijack (SpellChecker.dll)
* Windows 7 and Vista Backup Utility .wbcat (fveapi.dll)
* Virtual DJ 6.1.2 .mp3 hdjapi.dll
* Atheros Client Utility dll Hijacking exploit (oemres.dll)
* Internet download manager dll Hijacking exploit (idmmkb.dll)
* Forensic Toolkit .ftk (MFC90DEU.DLL)
* EnCase .endump (rsaenh.dll)
* IBM Rational License Key Administrator .upd (IBFS32.DLL)
* PGP Desktop 9.8 .pgp (credssp.dll)
* Forensic CaseNotes .notes (credssp.dll)
* Microsoft RDP .rdp (ieframe.dll)
* pdf x viewer .pdf (wintab32.dll)
* Ultr@ VNC Viewer .vnc (vnclang.dll)
* Babylon v8.0.0.18 .txt (besextension.dll)
* QtWeb v3.3 .htm, .xml (wintab32.dll)
* IZArc 4.1.2.2012 .rar .zip .jar (ztv7z.dll)
* Jetaudio v7.1.8.4006 plus VX .mp3 mogg .mov and others (wnaspi32.dll)
* TechSmith Snagit v7.2.5 .snagprof (mfc71enu.dll)
* QXDM v03.09.19 (Qualcomm eXtensible Diagnostic Monitor) .isf (mfc71enu.dll)
This listing was published to make security analysts aware of exploitable applications in order to protect their resources from any possible attacks.
For more Information about Dll Hijacking take a look at my previous posting on Dll preloading.
* ArchiCad 13.00 (srcsrv.dll)
* Nokia Suite contentcopier (wintab32.dll)
* Nokia Suite communicationcentre (wintab32.dll)
* Sony Sound Forge Pro 10.0 (MtxParhVegasPreview.dll)
* Camtasia Studio 7 (mfc90enu.dll, mfc90loc.dll)
* Media Player Classic v1.3.2189.0 (ehtrace.dll)
* Microsoft Help and Support Center (wshfra.dll)
* Microsoft Clip Book Viewer (mfaphook.dll)
* Real Player 1.1.5 Build 12.0.0.879 (wnaspi32.dll)
* SiSoftware Sandra (dwmapi.dll)
* SMPlayer v0.6.9 (wintab32.dll)
* Winmerge v2.12.4 (MFC71ESN.DLL)
* Steam Games (steamgamesupport.dll)
* UltraISO Premium 9.36 .isz (daemon.dll)
* wscript.exe (XP) (wshfra.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Daemon tools lite .mds (mfc80loc.dll)
* Google Earth v5.1.3535.3218 .kmz (quserex.dll)
* Nullsoft Winamp 5.581 .cda (wnaspi32.dll)
* Media Player Classic 6.4.9.1 .mka (iacenc.dll)
* Corel PHOTO-PAINT X3 v13.0.0.576 .cpt (crlrib.dll)
* CorelDRAW X3 v13.0.0.576 .cmx .csl (crlrib.dll)
* Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll)
* Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll)
* Mozilla Thunderbird ( dwmapi.dll )
* Microsoft Office PowerPoint 2007 (rpawinet.dll)
* Roxio MyDVD 9 (HomeUtils9.dll)
* Windows Internet Communication Settings (schannel.dll)
* Microsoft Windows Contacts (wab32res.dll)
* Adobe InDesign CS4 (ibfs32.dll)
* Cisco Packet Tracer 5.2 (wintab32.dll)
* Nvidia Driver (nview.dll)
* Adobe Illustrator CS4 (aires.dll)
* Adobe On Location CS4 (ibfs32.dll)
* Adobe Premier Pro CS4 (ibfs32.dll)
* Roxio Creator DE (HomeUtils9.dll)
* Skype <= 4.2.0.169 (wab32.dll)
* Mediaplayer Classic 1.3.2189.0 (iacenc.dll)
* TechSmith Snagit 10 (Build 788) (dwmapi.dll)
* Ettercap NG-0.7.3 (wpcap.dll)
* Microsoft Group Convertor .grp (imm.dll)
* Safari v5.0.1 (dwmapi.dll)
* Adobe Device Central CS5 (qtcf.dll)
* Microsoft Internet Connection Signup Wizard (smmscrpt.dll)
* InterVideo WinDVD 5 (cpqdvd.dll)
* Roxio Photosuite 9 (homeutils9.dll)
* Microsoft Vista BitLocker Drive Encryption (fveapi.dll)
* VLC Media Player (wintab32.dll)
* uTorrent DLL Hijacking Vulnerabilities
* TeamMate Audit Management Software Suite (mfc71enu.dll)
* Microsoft Office Groove 2007 (mso.dll)
* Microsoft Address Book 6.00.2900.5512 (wab32res.dll)
* Microsoft Visio 2003 (mfc71enu.dll)
* avast! <= 5.0.594 license files (mfc90loc.dll)
* Adobe Photoshop CS2 (Wintab32.dll)
* Adobe Dreamweaver CS5 <= 11.0 build 4909 (mfc90loc.dll)
* BS.Player <= 2.56 build 1043 (mfc71loc.dll)
* Adobe Dreamweaver CS4 (ibfs32.dll)
* TeamViewer <= 5.0.8703 (dwmapi.dll)
* Microsoft Windows 7 wab.exe (wab32res.dll)
* Opera v10.61 (dwmapi.dll)
* Microsoft Windows Movie Maker <= 2.6.4038.0 (hhctrl.ocx)
* Firefox <= 3.6.8 (dwmapi.dll)
* Windows Live Email (dwmapi.dll)
* Foxit Reader <= 4.0 pdf Jailbreak Exploit
* uTorrent <= 2.0.3 (plugin_dll.dll)
* Microsoft Power Point 2010 (pptimpconv.dll)
* Wireshark <= 1.2.10 (airpcap.dll)
* Notepad++ (SciLexer.dll)
* Microsoft Power Point 2007 (pp4x322.dll)
* Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll)
* Microsoft Word 2007 (msapsspc.dll,schannel.dll, digest.dll, msnsspc.dll)
* Microsoft Powerpoint 2007 (pp7x32.dll, pp4x322.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll)
* Tftpd32 version 3.35 (IPHLPAPI.DLL)
* Microsoft ATL Trace Tool Build 10.0.30319.1 atltracetool8.exe dwmapi extention .trc
* Windows Live! Messenger (Build => 14.0.8117.416) msgsres.dll Hijacking
* Active Perl v5.12.1 (wshenu.dll)
* CATIA V5 R17 (hzs_lm.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Cool Edit Pro 2.0 (coolburn.dll)
* GOM Player 2.1.25.5015 (schannel.dll)
* MAGIX Music Studio 12 deluxe (playripla6.dll)
* Opera 10.61 (dwmapi.dll)
* TeamViewer 5 (dwmapi.dll)
* Windows Address Book (wab32res.dll)
* Java Version 6 Update 21 (schannel.dll)
* Windows Progman Group Converter (imm.dll)
* NetStumbler 0.4.0 (mfc71enu.dll)
* Windows Mail 6.0.6000.16386 (wab32res.dll)
* TeamViewer (TV.dll)
* Wireshark <= 1.2.10 (libintl-8.dll)
* Microsoft Windows Media Encoder 9 .prx (msxml.dll)
* Notepad++ V5.4.5 Dll Hijack (SpellChecker.dll)
* Windows 7 and Vista Backup Utility .wbcat (fveapi.dll)
* Virtual DJ 6.1.2 .mp3 hdjapi.dll
* Atheros Client Utility dll Hijacking exploit (oemres.dll)
* Internet download manager dll Hijacking exploit (idmmkb.dll)
* Forensic Toolkit .ftk (MFC90DEU.DLL)
* EnCase .endump (rsaenh.dll)
* IBM Rational License Key Administrator .upd (IBFS32.DLL)
* PGP Desktop 9.8 .pgp (credssp.dll)
* Forensic CaseNotes .notes (credssp.dll)
* Microsoft RDP .rdp (ieframe.dll)
* pdf x viewer .pdf (wintab32.dll)
* Ultr@ VNC Viewer .vnc (vnclang.dll)
* Babylon v8.0.0.18 .txt (besextension.dll)
* QtWeb v3.3 .htm, .xml (wintab32.dll)
* IZArc 4.1.2.2012 .rar .zip .jar (ztv7z.dll)
* Jetaudio v7.1.8.4006 plus VX .mp3 mogg .mov and others (wnaspi32.dll)
* TechSmith Snagit v7.2.5 .snagprof (mfc71enu.dll)
* QXDM v03.09.19 (Qualcomm eXtensible Diagnostic Monitor) .isf (mfc71enu.dll)
This listing was published to make security analysts aware of exploitable applications in order to protect their resources from any possible attacks.
Tuesday, August 31, 2010
Windows DLL load hijacking
This blogging is to demonstrate DLL Pre-loading/hijacking bug in Windows.
The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This is being abused by computer criminals.
The Microsoft Security Response Center has written about the issue :
"Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately."
Microsoft also has published some Registry tweaks which can change the default DLL library search behavior:
http://support.microsoft.com/kb/2264107
Testing the Exploit:
Ok let us try to employ this exploit on "Media Player Classic".
Write a dll of your own. If don't know how to write a dll you can get it from the link below.
http://www.filefactory.com/file/b32433b/n/iacenc.rar
http://rapidshare.com/files/416173663/iacenc.rarMD5: 886173D0BB985E7E8DF51E4CBAE242B6
I assume that you have Media player classic being installed in your machine.
Rename the dll as "iacenc.dll". Place it in a directory with any media file that can be played by Media player Classic.
Now open the media file and see the magic.
This exploit can be used by malware writers to spread their malware. So security professionals are expected to get updated knowledge on this exploits. To check on what priority applications load a dll you can use Sysinternal's FileMon tool.
The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This is being abused by computer criminals.
The Microsoft Security Response Center has written about the issue :
"Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately."
Microsoft also has published some Registry tweaks which can change the default DLL library search behavior:
http://support.microsoft.com/kb/2264107
Testing the Exploit:
Ok let us try to employ this exploit on "Media Player Classic".
Write a dll of your own. If don't know how to write a dll you can get it from the link below.
http://www.filefactory.com/file/b32433b/n/iacenc.rar
http://rapidshare.com/files/416173663/iacenc.rar
I assume that you have Media player classic being installed in your machine.
Rename the dll as "iacenc.dll". Place it in a directory with any media file that can be played by Media player Classic.
Now open the media file and see the magic.
This exploit can be used by malware writers to spread their malware. So security professionals are expected to get updated knowledge on this exploits. To check on what priority applications load a dll you can use Sysinternal's FileMon tool.
Friday, June 11, 2010
Gunpack - God's Unpacker
To protect malwares from detection by AV vendors malware authors use packers/cryptors for protection. For malware analysts unpacking executable is the greatest problem they encounter while analyzing protected executable files.
To combat packer challenges a memory dumping attack was employed in GUnpack tool.G(ods)Unpack tool unpacks packed executable files based on memory dumping technique.
Download page[Google code]
To combat packer challenges a memory dumping attack was employed in GUnpack tool.G(ods)Unpack tool unpacks packed executable files based on memory dumping technique.
Download page[Google code]
Wednesday, June 9, 2010
Autorun Cleaning tool
To clean autorun files on all the drives I have written a handy tool in Visual C.
Link1 [File Factory]
Link2 [YourFileLink]
Link3 [RapidShare]
Zipfile MD5 : BEEB5D98FBB1031F1046D801D61074DD
SHA1: D841CD5F60448FA2E487FDED179CA5E05DF79DBB
Unzip the file and check checksum before using.
SHA1 : 9A83F85FB7BFE0D585BAE662A946D8025695D11D
MD5 :BD891972669DD82393F303DDA15BF2CE
Link1 [File Factory]
Link2 [YourFileLink]
Link3 [RapidShare]
Zipfile MD5 : BEEB5D98FBB1031F1046D801D61074DD
SHA1: D841CD5F60448FA2E487FDED179CA5E05DF79DBB
Unzip the file and check checksum before using.
SHA1 : 9A83F85FB7BFE0D585BAE662A946D8025695D11D
MD5 :BD891972669DD82393F303DDA15BF2CE
Subscribe to:
Posts (Atom)