Large numbers of binary planting vulnerabilities (also known as “dll spoofing” or “dll preloading attacks”) have been discovered in third party applications running on Microsoft Windows platforms. Software companies are aware of this exploit and are working on a fix for such vulnerabilities in their products.

In an advisory Microsoft has spoken about the seriousness of this threat. Scenarios like this, where an attacker might take complete control of an affected system by exploiting this vulnerability, are realistic.

Unsafe coding styles in legitimate applications (running on Microsoft Windows platforms) can be a reason why such exploits can get very dangerous in corporate environments. The issue with binary planting attacks is taken very seriously.

How does the attack work?

An attacker may use his social engineering skills to convince the victim to open a “common” legitimate file e.g. a simple image file. The image file may be located on a remote network location such as “http://”.

In our test scenario the victim is logged as a domain administrator on a Microsoft Windows Server machine. The victim decides to open this image file with an image viewer that is installed on his machine. The image viewer is vulnerable by the binary planting attack.

The image viewer application may require a dynamic-link library to load dynamically. As the fully qualified path name has not been specified, Microsoft Windows will be instructed by the image viewer to search for this dynamic-link library in a set of directories in a particular order.

These directories are:

  1. The directory from which the application loaded
    2. The system directory
    3. The 16-bit system directory
    4. The Windows directory
    5. The current directory
    6. The directories that are listed in the PATH environment variable.

One of the directories is the current directory where the image file has been stored.

If the attacker has full access to one of the directories which Microsoft Windows searches for, then the attacker may be able to place a malicious copy of the dll in that directory.

In such a case the application will load and execute the malicious dll without verification. Such action may allow the attacker to gain full control of the affected machine. If so, then he may be able to perform unwanted actions on the machine such as create a new user account, access sensible files on specific directories and more.

Web security and firewall products may become an essential instrument to block and possibly prevent the downloading of such malicious code from a remote network location.

The interesting point is that nowadays attackers try to hide harmful attacks by performing legitimate actions which emphasizes once more the importance of web and IT security in a corporate environment.