日本語 / English

2017/07/13 - Reading arbitrary DLL in self executable file ( DLL Hijack, DLL Preload )

[ Reproduction procedure ]
Self-executable form of encrypted file created in the AttachéCase has a problem in the search path when loading the DLL, and there is a vulnerability that reads an unintended DLL.

  1. Place "DWMAPI.DLL" and "DWrite.dll" etc. that you disguised as a Trojan horse prepared by an attacker with Windows (32bit / 64bit) in the directory.
  2. Place the self-executable format file encrypted with the AttachéCase in the directory.
  3. When executing this EXE, the Trojan horse is unintentionally read and executed.

The other file names reproduced in Windows 10 (64 bit) are as follows.

  • WTSAPI32.DLL
  • PROPSYS.DLL
  • MSIMG32.DLL
  • INDOWSCODECS.DLL
  • WINSTA.dll

[ Version in which the problem occurs ]
It occurs in the current version.

[ Avoidance and countermeasures ]
Presently, in order to avoid this problem, please operate while paying attention to the following points.

  • Self-extracting archive file is saved in the newly created directory, and executed with no other unrelated file.
  • Make sure that untrusted files do not exist in the directory in which the self-extracting archive file is executed.
  • Self-extracting archive file place the directory in read-only mode if it is operating in such a way that it is placed in a shared directory and executed.
  • Self-extracting archive file is in principle operated with a standard user account without administrator authority, and it is operated only with the administrator account when necessary.


 Demonstration source code ( VS Express for Desktop 2015 is ready )

"DWMAPI.DLL" and "DWrite.dll" in the "Debug", "Release" directory in the demonstration code are DLLs that have configured DLL preloading. The source code of the verification DLL is as follows.

#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
  MessageBox(NULL,
      "This program is vulnerable to DLL Hijacking.",
      "DLL Hijacked",
       MB_OK);
   return TRUE;
 }

Secure loading of libraries to prevent DLL preloading attacks I read this and added "SetDllDirectory (" ");" to the source code, but in either case the DLL will be loaded before the entry point and the DLL will be executed.

Even if I examine it on the website, there are also informations that there is no way to do it on the .NET Framework C #, or there is way to do in the intermediate language level, and I have not yet got an actual answer.

Also, the same phenomenon is occurring in the old version (ver. 2), which is C ++. I tried to examine various web sites, but I still could not find a countermeasure either.

Similarly, if you place a DLL containing a Trojan horse, it will be loaded before the entry point. Regarding here as well, if someone knows the countermeasure, I would be helpful if you can give me it.

Please email me.

Mitsuhiro Hibara

2017/01/16 - Directory traversal vulnerability

[ Reproduction procedure ]
In the Attache case, I use a proprietary format called ATC file and save the expanded file name in the ATC file.

You made an ATC file with ".. \" added at the beginning of the expanded file name, and expanded the ATC file, and then the file was expanded in the parent directory of the extraction destination directory.

However, since a malicious third party has to develop an application with the vulnerability and generate a file, I think that the risk is low.

[ Target version ]
ver.3.0.1.5 earlier.
ver.2.8.2.8 earlier.

[ Avoidance and countermeasures ]
Users should update to the latest version promptly.
Fixed to stop this process when ".. \" comes in.

JVN#83917769
AttacheCase vulnerable to directory traversal
https://jvn.jp/en/jp/JVN83917769/


2010/12/17 - Reading any executable file ( Binary planing )

[ Reproduction procedure ]
In the Attache Case, after decrypting the folder, perform an operation setting to automatically open the folder. If an arbitrary compressed file and an arbitrary executable file named "explorer.exe" are saved in the same folder and the compressed file is expanded with the target software, an arbitrary executable file in the same folder is read. It can be exploited for attacks via USB memory and network folders.

[ Target version ]
ver.2.69 earlier.

[ Avoidance and countermeasures ]
Users should update to the latest version promptly.
The fifth argument of "ShellExecute" API was set to "NULL", but it become to be specified as the default directory properly.

JVN#02175694
AttacheCase may insecurely load executable files
https://jvn.jp/en/jp/JVN02175694/


If you have any question about vulnerability, please contact the following E-mail address.

Mitsuhiro Hibara