[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Windows Mail Find People DLL side loading vulnerability

To: Stefan Kanthak <stefan.kanthak@xxxxxxxx>
Subject: Re: [FD] Windows Mail Find People DLL side loading vulnerability
From: "Securify B.V." <lists@xxxxxxxxxxx>
Date: Wed, 9 Mar 2016 18:29:49 +0100

Hi Stefan,

See below.


On 09-03-16 12:48, Stefan Kanthak wrote:

"Securify B.V." wrote:

------------------------------------------------------------------------
Windows Mail Find People DLL side loading vulnerability
------------------------------------------------------------------------
Yorick Koster, September 2015

This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!

"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via
     LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, 
LOAD_LIBRARY_AS_DATAFILE)
to avoid the call of its DllMain() startup code!
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>

JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!

Either
     LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
or
     LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
were sufficient to avoid this vulnerability.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Microsoft released MS16-025 that fixes this vulnerability.

Have you checked how Microsoft fixed it?
Did they exercise all due diligence now, practised defense in depth
and replaced the call to
     LoadLibrary("wab32res.dll")
with a call to
     LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, 
LOAD_LIBRARY_AS_DATAFILE)?

They still use LoadLibrary() to load wab32res.dll. Previously, thefetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appendedwab32res.dll to the result, which was fed into LoadLibrary().

With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). Bydefault DLLPath is set to %CommonProgramFiles%\System\wab32.dll,PathRemoveFileSpec() removes wab32.dll from the path. They also callExpandEnvironmentStrings(), but that was also the case previously.


With kind regards,

Yorick

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Windows Mail Find People DLL side loading vulnerability
  - From: Securify B.V.
- Re: [FD] Windows Mail Find People DLL side loading vulnerability
  - From: Stefan Kanthak

Prev by Date: [FD] LSE Leading Security Experts GmbH - LSE-2016-01-01 - Wordpress ProjectTheme - Multiple Vulnerabilities
Next by Date: [FD] [CORE-2016-0003] - Samsung SW Update Tool MiTM
Previous by thread: Re: [FD] Windows Mail Find People DLL side loading vulnerability
Next by thread: [FD] LSE Leading Security Experts GmbH - LSE-2016-01-01 - Wordpress ProjectTheme - Multiple Vulnerabilities
Index(es):
- Date
- Thread