Stephen Reese

Note this is an older post that I am migrating from another blog I previously maintained.

Metasploit has already provide a nice write up of the pwning, I mean testing the vector http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html. It does involve a bit of prep work but I tested it on a fully patched Windows XP sp3 host and it does provide you with the same privileges as the user who executes the exploit remotely giving the attacker access to the system.

So we want to be concerned with how to prevent evil doers from exploiting this vector.

\1. Do not open any network shares or websites that you are unfamiliar with, furthermore avoid executing unknown files from either. 2. Decide which workaround you would like to use per http://www.microsoft.com/technet/security/advisory/2269637.mspx.

  • Workaround #1 Disabling and stopping the Webclient services is the easiest method to prevent the attack but may cause other problems.

  • Workaround #2 Blocking ports 139 and 445 may not be ideal to block due to file sharing and other problems that may arise.

  • Workaround #3 Download and install the tool from Microsoft that allows control of the DLL search path algorithm from http://support.microsoft.com/kb/2264107 for your specific Microsoft distribution, i.e. Windows XP. Modify the registry key that turns on, off or specifies the action per http://support.microsoft.com/kb/2264107 section “Example 1: How to disable loading DLLs from a WebDAV share for all applications that are installed on your local computer”.

Okay, so in short there are two ideal ways to disable to attack, disable the Webclient service or install the tool and modify the specific registry key.

  • Note many of us run docked and undocked, therefore we need to modify both controlset001 and controlset002 to cover both situations.

    http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html


Comments

comments powered by Disqus