{"id":3883,"date":"2013-07-05T07:00:00","date_gmt":"2013-07-05T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2013\/07\/05\/it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-disabling-safe-dll-searching\/"},"modified":"2013-07-05T07:00:00","modified_gmt":"2013-07-05T07:00:00","slug":"it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-disabling-safe-dll-searching","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20130705-00\/?p=3883","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Disabling Safe DLL searching"},"content":{"rendered":"<p>\nThe\n<a HREF=\"http:\/\/www.microsoft.com\/security\/msrc\/collaboration\/research.aspx\">\nMicrosoft Vulnerability Research<\/a>\nteam discovered a potential\n<a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2010\/11\/11\/10089223.aspx\">\ncurrent directory attack<\/a>\nin a third party program.\nThe vendor, however, turned around and forwarded the report\nto the\n<a HREF=\"http:\/\/www.microsoft.com\/security\/msrc\/default.aspx\">\nMicrosoft Security Response Center<\/a>:\n<\/p>\n<blockquote CLASS=\"q\">\n<p>\nOur investigation suggests that this issue is due to a bug\nin Microsoft system DLLs rather than our program.\nWhen a process is launched,\nfor example, when the user double-clicks the icon in Explorer,\na new process object is created, and the DLLs are loaded\nby a component known as the Loader.\nThe Loader locates the DLLs,\nmaps them into memory,\nand then calls the DllMain function for each of the modules.\nIt appears that some Microsoft DLLs obtain DLLs from the\ncurrent directory and are therefore susceptible to a current\ndirectory attack.\nWe created a simple Win32 application which demonstrates the issue:\n<\/p>\n<pre>\n#include &lt;windows.h&gt;\nint __cdecl main(int argc, char **argv)\n{\n return MessageBox(NULL, \"Test\", \"Test\", MB_OK);\n}\n<\/pre>\n<p>\nIf you place a fake copy of <code>DWMAPI.DLL<\/code>\nin the same directory as the application,\nthen the Loader will use that fake copy instead of the system one.\n<\/p>\n<p>\nThis technique can be used to attack many popular programs.\nFor example, placing a fake copy of\n<code>DWMAPI.DLL<\/code> in the\n<code>C:\\Program Files\\Internet Explorer<\/code> directory\nallows it to be injected into Internet Explorer.\nPlacing the file in the\n<code>C:\\Program Files\\Adobe\\Reader 9.0\\Reader<\/code> directory\nallows it to be injected into Adobe Reader.\n<\/p>\n<\/blockquote>\n<p>\n(I like how the report\n<a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2009\/04\/09\/9539191.aspx\">\nbegins with some exposition<\/a>.)\n<\/p>\n<p>\nThe vendor appears to have confused two directories,\nthe current directory and the application directory.\nThey start out talking about a current directory attack,\nbut when the money sentence arrives,\nthey talk about placing the rogue DLL\n&#8220;in the same directory as the application,&#8221;\nwhich makes this not a current directory attack\nbut an application directory attack.\n<\/p>\n<p>\nWe saw some time ago that\n<a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2011\/06\/20\/10176772.aspx\">\nthe directory is the application bundle<\/a>,\nand the application bundle can override DLLs in the system directory.\nAgain, this is just another illustration of the importance of\n<a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2012\/10\/31\/10364271.aspx\">\nsecuring your application directory<\/a>.\n<\/p>\n<p>\nThe specific attacks listed at the end of the report\nrequire writing into\n<code>C:\\Program Files<\/code>,\nbut in order to drop your rogue <code>DWMAPI.DLL<\/code> file\ninto that directory,\nyou need to have administrative privileges in the first place.\n<\/p>\n<p>\nIn other words, in order to attack the system,\nyou first need to get on the other side of the airtight hatchway.\n<\/p>\n<p>\nThere was one final attempt to salvage this bogus vulnerability report:\n<\/p>\n<blockquote CLASS=\"q\">\n<p>\nWe can also reproduce the problem without requiring write access\nto the <code>Program Files<\/code> directory\nby disabling\n<a HREF=\"http:\/\/msdn.microsoft.com\/library\/ms682586\">\nSafe DLL searching<\/a>.\n<\/p>\n<\/blockquote>\n<p>\nNice try.\nIn order to disable Safe DLL searching,\nyou need to have administrator privileges,\nso you&#8217;re already on the other side of the airtight hatchway.\nAnd if you elevate to administrator\nand disable safe DLL searching,\nthen is it any surprise that you have unsafe DLL searching?\nThis is just another case of\n<a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2010\/01\/14\/9948124.aspx\">\n<i>If you set up an insecure system, don&#8217;t be surprised that there&#8217;s\na security vulnerability<\/i><\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Microsoft Vulnerability Research team discovered a potential current directory attack in a third party program. The vendor, however, turned around and forwarded the report to the Microsoft Security Response Center: Our investigation suggests that this issue is due to a bug in Microsoft system DLLs rather than our program. When a process is launched, [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-3883","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>The Microsoft Vulnerability Research team discovered a potential current directory attack in a third party program. The vendor, however, turned around and forwarded the report to the Microsoft Security Response Center: Our investigation suggests that this issue is due to a bug in Microsoft system DLLs rather than our program. When a process is launched, [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/3883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=3883"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/3883\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=3883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=3883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=3883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}