Author Topic: Unsafe DLL loading vulnerable in version 2.3k  (Read 2582 times)

0 Members and 1 Guest are viewing this topic.

Offline yeyint

  • Occasional poster
  • *
  • Posts: 1
    • View Profile
Unsafe DLL loading vulnerable in version 2.3k
« on: July 29, 2017, 08:30:13 PM »
The HSF Server application passes an insufficiently qualified path in loading an external library when a user launch the application.

Affected Library List
---------------------
# dwmapi.dll
# WindowsCodecs.dll
# apphelp.dll
# RICHED32.dll
# wsock32.dll
# DNSAPI.dll
# IPHLPAPI.dll
# rasadh1p.dll

Please find the following for demo. I rename the malicious dll file (which is execute calculator) as apphelp.dll in this demo.

https://www.youtube.com/watch?v=VGjRA-P0opM

Thanks
Ye


REFERENCES
https://support.microsoft.com/en-us/help/2389418/secure-loading-of-libraries-to-prevent-dll-preloading-attacks
https://cwe.mitre.org/data/definitions/427.html
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

Offline Fysack

  • Tireless poster
  • ****
  • Posts: 629
  • present picture
    • View Profile
    • Admin
Re: Unsafe DLL loading vulnerable in version 2.3k
« Reply #1 on: September 30, 2017, 11:00:49 PM »
it make no sense dude
GOD CAN READ YOUR MIND

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12949
    • View Profile
Re: Unsafe DLL loading vulnerable in version 2.3k
« Reply #2 on: November 21, 2017, 04:54:49 PM »
i had missed this report, actually.
I'm not personally calling that DLL, and i'm not sure why it is called.
The results on google are quite confusing.
Would anyone have information, please share.


Offline bmartino1

  • Tireless poster
  • ****
  • Posts: 870
  • I'm only trying to help i mean no offense.
    • View Profile
    • My HFS Google Drive Shared Link
Re: Unsafe DLL loading vulnerable in version 2.3k
« Reply #3 on: November 23, 2017, 05:23:44 PM »
rejjeto, i private messaged you about this....

what i have seen and what was shown was indeed dll hacking, but is not a probelm or a bug with your program, but a os system issues with a bad visual update. it was his pc casuing the issue..

this is not a bug that i have found.
I'm only trying to help i mean no offense.
thank you for your time and patience,
Bmartino1

Offline Fysack

  • Tireless poster
  • ****
  • Posts: 629
  • present picture
    • View Profile
    • Admin
Re: Unsafe DLL loading vulnerable in version 2.3k
« Reply #4 on: December 09, 2017, 12:19:53 AM »
 ;D ;D ;D LOVE
GOD CAN READ YOUR MIND

Offline danny

  • Tireless poster
  • ****
  • Posts: 189
    • View Profile
    • Startfetch
Re: Unsafe DLL loading vulnerable in version 2.3k
« Reply #5 on: June 21, 2019, 11:59:59 AM »
There is a windows security setting for a specific program. 
Code: [Select]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hfs.exe]
"CWDIllegalInDllSearch"=dword:00000002

Or, if the box was intentionally a server, there is a global setting.
Code: [Select]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"CWDIllegalInDllSearch"=dword:00000002

Practically...
With SMB traffic already blocked by most internet providers, the remaining hazard is WebDAV, in which case, the following should have been the Windows default, but it isn't.
Code: [Select]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"CWDIllegalInDllSearch"=dword:00000001
Although, Cox cable blocks servers on ports 80, 443, which WebDAV uses; so, in that case, the problem is blocked as well.  One may choose to disable WebDAV if not using it.  Such a lovely ease for the end user; but, unfortunately flawed, so we need to use Encrypted FTP, TFTP, instead of WebDAV. 

This is an ordinary server-hardening task of Microsoft Windows and not specifically HFS.   
Step#1
My server uses https://tinywall.pados.hu/ (and a password) to be sure of what servers/services are and aren't utilizing the Internet connection.  It is a whitelist (proper) approach so that anything not on the list, doesn't connect.  You can set services such as SMB, Printing and WebDAV to "local subnet" aka "local network" so that they don't use the Internet. 
« Last Edit: June 24, 2019, 12:02:11 PM by danny »

Offline Fysack

  • Tireless poster
  • ****
  • Posts: 629
  • present picture
    • View Profile
    • Admin
Re: Unsafe DLL loading vulnerable in version 2.3k
« Reply #6 on: October 12, 2019, 02:14:25 AM »
GOD CAN READ YOUR MIND