[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows Mail Find People DLL side loading vulnerability

Hi Stefan,

See below.

On 09-03-16 13:18, Stefan Kanthak wrote:
"Securify B.V." wrote:
Windows Mail Find People DLL side loading vulnerability
Yorick Koster, September 2015

This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!

"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via
     LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
to avoid the call of its DllMain() startup code!
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>

JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!

     LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
were sufficient to avoid this vulnerability.

Microsoft released MS16-025 that fixes this vulnerability.
Have you checked how Microsoft fixed it?
Did they exercise all due diligence now, practised defense in depth
and replaced the call to
with a call to
     LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?

They still use LoadLibrary() to load wab32res.dll. Previously, the fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended wab32res.dll to the result, which was fed into LoadLibrary().

With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By default DLLPath is set to %CommonProgramFiles%\System\wab32.dll, PathRemoveFileSpec() removes wab32.dll from the path. They also call ExpandEnvironmentStrings(), but that was also the case previously.

With kind regards,