Re: Windows Mail Find People DLL side loading vulnerability

From: Securify B.V. <>
To: Stefan Kanthak <>
Subject: Re: Windows Mail Find People DLL side loading vulnerability

Hi Stefan,

See below.

On 09-03-16 13:18, Stefan Kanthak wrote:
> "Securify B.V." wrote:
>> ------------------------------------------------------------------------
>> Windows Mail Find People DLL side loading vulnerability
>> ------------------------------------------------------------------------
>> Yorick Koster, September 2015
> This vulnerability demonstrates Microsoft's terrible SLOPPY coding
> horror^Wpractice: it needs two mistakes to create this kind of bug!
> "%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
> a resource DLL, which means that it contains no code, but only
> (localized) resources, and SHOULD (better: MUST) be loaded via
>      LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
> to avoid the call of its DllMain() startup code!
> See <>
> JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!
> Either
>      LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
> or
>      LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
> were sufficient to avoid this vulnerability.
>> ------------------------------------------------------------------------
>> Fix
>> ------------------------------------------------------------------------
>> Microsoft released MS16-025 that fixes this vulnerability.
> Have you checked how Microsoft fixed it?
> Did they exercise all due diligence now, practised defense in depth
> and replaced the call to
>      LoadLibrary("wab32res.dll")
> with a call to
>      LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?

They still use LoadLibrary() to load wab32res.dll. Previously, the 
fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended 
wab32res.dll to the result, which was fed into LoadLibrary().

With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By 
default DLLPath is set to %CommonProgramFiles%\System\wab32.dll, 
PathRemoveFileSpec() removes wab32.dll from the path. They also call 
ExpandEnvironmentStrings(), but that was also the case previously.

With kind regards,


Copyright © 1995-2018 All rights reserved.