HOME >> IT Security >> Vulnerabilities >> Security Alert for DLL/EXE Loading Arbitrary Code Execution Vulnerability

Security Alert for DLL/EXE Loading Arbitrary Code Execution Vulnerability

~ Those who develop Windows-based software, make sure your programs have not affected ~

Published: Nov 11, 2010
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a security alert for DLL(*1)/EXE load hijacking vulnerability to urge the software developers to make sure that their software is free of this vulnerability, given the increasing number of JVN reports on the subject in the last three month.

From September to November 2010, a number of software has been reported on having DLL/EXE loading arbitrary code execution vulnerability(*2). Among which, 13 software were fixed by the developer and the vulnerability information has been published on JVN(*3). Given the reports keep coming about this vulnerability, IPA assumed that more software applications out there are affected by this vulnerability and published the security alert to urge the software developers to make sure that their software is okay. If it is not, fix it immediately.

1.Overview

The cause of DLL/EXE loading arbitrary code execution vulnerability is a flaw in the way an application loads a DLL (Dynamic-Link Libraries) or EXE file. When the application loads a DLL or EXE file without specifying its path name, it searches for a DLL or EXE file in sequence order specified by the Windows system. During the search, if the application finds a DLL or EXE file maliciously placed by the attacker before it finds the correct file, it loads the malicious DLL or EXE file and arbitrary code would be executed on the system.
In DLL/EXE file search process, the current directory, where the user is working at a given time, is also searched. Shared folders on a file servers or removable media, such as USB memory sticks, are especially vulnerable since it is easy for an attacker to place a malicious file there. If the user is working in those folders, there are more chances that the vulnerability is exploited.

Security Alert for DLL/EXE Loading Arbitrary Code Execution Vulnerability

2.Software susceptible to this vulnerability

Applications that have the following characteristics may have this vulnerability.

  • Those that are Microsoft Windows-based
  • Those that load an external DLL or EXE file without specifying its path name

3.Solution

Microsoft offers the guidance on how to respond to this issue. Apply the countermeasure introduced in the guidance and fix the problem.

[Countermeasure effective to fix both DLL and EXE loading arbitrary code execution vulnerability]
  • Specify a fully-qualified path name when loading a DLL or EXE file
[Countermeasure effective to fix only DLL loading arbitrary code execution vulnerability]
  • Remove the current directory from the list of folders in which a DLL file is searched for

To read Microsoft’s guidance on the issue, go visit the following URL:

4.References

Footnote

(*1) The computer programs that are implemented separately from the main programs so that they can be shared by multiple programs.

(*2) Some of the attacks exploiting this vulnerability are called “Binary Planting” and “DLL Preloading Attack”.

(*3) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail:

Top Page