DLL Attack Review Part 1

I would like to share a few details and tricks to DLL Attack that can be useful to some people out there. DLL (Dynamic Link Libraries) attack is an attack where the attacker exploit within the Windows Application search function

Windows application that been mentioned here is a vulnerable /PATH or other location that will be exploited by the attacker where malicious DLLs will be loaded into the application and system. The purpose of the malicious DLL been loaded is to been searched by the application while been executed by the application at the same time.

Types of DLL attack

For those who still not familiar with the attack, there are a few types of DLL attack such as:

  • DLL search order attack
  • DLL side-loading attack
  • DLL Hijacking attack

DLL search order attack

This type of attack normally takes advantage of the search order of the Windows Operating System where a malicious DLL will be loaded into the DLL search order and execute the program from there.

DLL side-loading attack

This type of attack will leverage a directory from WinSxS which normally happens if the program is improperly configured may be open to vulnerabilities and malicious DLL can be loaded into the application or system.

DLL Hijacking attack

This type of attack normally used the old version DLL which still be readable by the application. As a result, the attacker can take advantage of these vulnerabilities to insert a malicious DLL and will be executed.

Source: Windows Local Privilege Escalation – Services (DLL Hijacking)

Recommendation

There are a few recommendation that system administrator can follow like stated below:

  1. Some Researchers have suggested to enable SafeDLLSearchMode from attacker to exploited the search path within the system or application
  2. Only signed DLLs are been used on most system procedure/process and application can be loaded at all cost.
  3. Secure Coding would be best practice for prevention on DLL Hijacking where the developer will need to code it to load DLL from trusted source into specified path only.

Reference:

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *