Bugtraq mailing list archives
Re: Windows Mail Find People DLL side loading vulnerability
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Wed, 9 Mar 2016 13:18:13 +0100
"Securify B.V." wrote:
------------------------------------------------------------------------ Windows Mail Find People DLL side loading vulnerability ------------------------------------------------------------------------ Yorick Koster, September 2015
[...]
- CVE-2016-0100 - MS16-025: Security Update for Windows Library Loading to Address Remote Code Execution (3140709) ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully verified on Windows Vista + Office 2010 32-bit.
This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!
"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via
LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
to avoid the call of its DllMain() startup code!
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!
Either
LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
or
LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
were sufficient to avoid this vulnerability.
------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Microsoft released MS16-025 that fixes this vulnerability.
Have you checked how Microsoft fixed it?
Did they exercise all due diligence now, practised defense in depth
and replaced the call to
LoadLibrary("wab32res.dll")
with a call to
LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)?
------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html
stay tuned Stefan
Current thread:
- Windows Mail Find People DLL side loading vulnerability Securify B.V. (Mar 08)
- Re: Windows Mail Find People DLL side loading vulnerability Stefan Kanthak (Mar 09)
- Re: Windows Mail Find People DLL side loading vulnerability Securify B.V. (Mar 09)
- Re: Windows Mail Find People DLL side loading vulnerability Stefan Kanthak (Mar 09)