Re: Windows Mail Find People DLL side loading vulnerability

From: Securify B.V. <lists@securify.nl>
To: Stefan Kanthak <stefan.kanthak@nexgo.de>
Cc: bugtraq@securityfocus.com
Subject: Re: Windows Mail Find People DLL side loading vulnerability
Date:


Hi Stefan,

See below.

On 09-03-16 13:18, Stefan Kanthak wrote:
> "Securify B.V." wrote:
>> ------------------------------------------------------------------------
>> Windows Mail Find People DLL side loading vulnerability
>> ------------------------------------------------------------------------
>> Yorick Koster, September 2015
>>
> This vulnerability demonstrates Microsoft's terrible SLOPPY coding
> horror^Wpractice: it needs two mistakes to create this kind of bug!
>
> "%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
> a resource DLL, which means that it contains no code, but only
> (localized) resources, and SHOULD (better: MUST) be loaded via
>      LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
> to avoid the call of its DllMain() startup code!
> See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
>
> JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!
>
> Either
>      LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
> or
>      LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
> were sufficient to avoid this vulnerability.
>
>> ------------------------------------------------------------------------
>> Fix
>> ------------------------------------------------------------------------
>> Microsoft released MS16-025 that fixes this vulnerability.
> Have you checked how Microsoft fixed it?
> Did they exercise all due diligence now, practised defense in depth
> and replaced the call to
>      LoadLibrary("wab32res.dll")
> with a call to
>      LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?
>

They still use LoadLibrary() to load wab32res.dll. Previously, the 
fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended 
wab32res.dll to the result, which was fed into LoadLibrary().

With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By 
default DLLPath is set to %CommonProgramFiles%\System\wab32.dll, 
PathRemoveFileSpec() removes wab32.dll from the path. They also call 
ExpandEnvironmentStrings(), but that was also the case previously.

With kind regards,

Yorick





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.