Skip to content

Vulnerability disclosure: DLL Hijacking

Jump to bottom Edit New page
Cryptix edited this page Jul 23, 2018 · 2 revisions

Copy of a vulnerability report by @rugk. After this report issues were fixed, one in dnscrypt-proxy (released in v1.6.1) and SimpleDnsCrypt with v0.3.2.

Hi,
You probably heard about the Java issue which affected their installer. (http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html)
However this issue also affects multiple other installers as a security researcher has shown. (https://packetstormsecurity.com/files/author/6137/) It is called DLL Hijacking. I've copied a few general statements from there as they also apply to this issue.
There is also a German Wikipedia article about this: https://de.wikipedia.org/wiki/DLL_Hijacking

So I had a look whether your installer are also vulnerable. Here are my results.
Hinweis: Sie können mir in Deutsch antworten. Da ich diesen Fehler-Report jedoch später veröffentlichen werden, werde ich den größten Teil hier in Englisch schreiben.

So at first: Your installer is a MSI file. As this is the native installer format this installer is not vulnerable AFAIK and as far my research has shown.
However the //REMOVED EXE// has some DLL Hijacking issues, which I'll report to //REMOVED THIRD-PARTY//.

So let's come to SimpleDnsCrypt.exe itself. DNSCrypt seems to copy the libsodium.dll library to the temp dir. The path is like this:
> %temp%\Costura\D1FF96F46A07D56ECBF376D6830C20EB\32\libsodium.dll

This may be a vulnerability as the temp directory is writeable without admin rights and therefore should be fixed. So as SimpleDnsCrypt.exe always runs with admin privileges and loads this library from the temp path, this may be a privilege escalation if the DLL is (maliciously) modified before.
However I don't know whether the file (or the files signature) is checked before it is executed. If so this is of course not an issue.
But anyway you should not load any DLL from an insecure folder. Why not just load the DLL directly?

So finally there is one issue, where I can prove that it at least breaks the functionality of DNSCrypt and it is very likely that it is also a vulnerability. Because when SimpleDnsCrypt.exe executes dnscrypt-proxy.exe (as a service) it does not pay attention that the path to dnscrypt-proxy.exe may contain spaces.

So have a look at http://msdn.microsoft.com/library/cc144175.aspx and http://msdn.microsoft.com/library/cc144101.aspx which explain how it should be handled correctly:

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.

So remember to always quote a file path. Also when you register it as a driver.
Finally here is a GIF, which shows the issue and how it can be solved: https://mega.nz/#!HFh1waqQ!iY-8gCvthQaquYhKETKw7sG8wunX9OjVNHjLPHUWFkk

Here are the steps to reproduce the issue:
1. Download http://home.arcor.de/skanthak/download/SENTINEL.EXE and copy it to C:\ and rename it to Program.exe.

2. Try to start the dnscrypt-proxy from SimpleDnsCrypt.exe. You'll see that it fails without an error message.

3. You'll see a message box from C:\Program.exe.

Best regards,
<private>

----
Timeline:

* 2016-02-16: send

* 2016-02-17: issues confirmed, issue with spaces in path to dnscrypt-proxy forwarded to Frank Denis (athor of dnscrypt-proxy)

  replied, mentioned DLL hijacking issue with the used "exe" mentioned previously.

* 2016-02-14: Quoting issue fixed: https://github.com/jedisct1/dnscrypt-proxy/commit/539d622c3c5a9ba99dcdd0e0b07ecde838e008d4

* 2016-04-05: Requesting state of other issues. 

* 2016-06-07: Fixed version of SimpleDnsCrypt released

* 2016-06-23: Vulnerability report published
Add a custom footer
Add a custom sidebar
Clone this wiki locally