How Do I Prevent DLL Hijacking?

DLL or Dynamic Link Library is a file format that contains multiple codes and procedures for windows application so that multiple programs can use the information at the same time. The advantage of such an arrangement is that it can save memory. Also, a user can change the code of multiple applications at once without changing each and every application.

What is DLL Hijacking?

In Windows applications, typically when an application is loading, it searches for DLL’s that are not present or not implemented securely (Full path of the DLL is not specified). If this is present, then it is possible to do a kind of privilege escalation called as DLL Hijacking

When can a DLL Hijacking occur?

With the latest version of Windows, the paths C:\Program Files and C:\Windows are usually do not have write permissions. So this can be executed, if the application in question is installed outside the default directories or is used by network sharing.

When an exe is loaded, the program looks for the DLL’s in a particular order as shown below:

  • The directory in which the application is installed
  • C:\Windows\System32
  • C:\Windows\System
  • C:\Windows
  • The current working directory
  • Directories in the system PATH environment variable
  • Directories in the user PATH environment variable

As it is evident from above while loading, the application first looks for the missing DLL’s in the directory in which the application is installed, and then it goes to the system directories. If the application is installed outside the system directories, then it may be possible to place the malicious file and gain privilege.

POC on Windows System

The key point here would be to find out which DLL’s the application is looking for. This can be done by searching for NAME NOT FOUND in Procmon

Steps to Reproduce:

  1. Start Procmon.exe and set the filter
     
  2. Start the application and look for NAME NOT FOUND in Procmon. It is observed in Procmon that the application is looking for a dll “WINMM.dll” but it is not found.
     
  3. Create a dll with the below code
    #include <windows.h>
    int dll_hijack()
    {
     WinExec("calc", 0); // boring payload
     // exit(0); // ;)
     return 0;
    }
    BOOL WINAPI  DllMain (
         HANDLE    hinstDLL,
         DWORD     fdwReason,
         LPVOID    lpvReserved)
    {
     dll_hijack();
     return 0;
    }
     
  4. Name this DLL as WINMM.dll and place it in the path where the application is installed. 
     
  5. Close the application and restart it. A calculator will be executed.

Screenshots:

 
Fig 1: Filter applied in ProcMon

 
Fig 2: Malicious DLL created and placed in the location

 
Fig 3: Calculator is executed

Remediation

  1. The hash of the DLL has to be encrypted with a private key
  2. In the application, the public key, "encrypted hash" and salt must be embedded 
  3. Upon application start, decrypt the "encrypted hash" with your public key.
  4. Generate the Hash again at runtime with the same salt, and compare with the hash decrypted using the public key.

References:
https://www.gracefulsecurity.com/privesc-dll-hijacking/ 
https://pentestlab.blog/2017/03/27/dll-hijacking/ 
http://resources.infosecinstitute.com/dll-hijacking-attacks-revisited/#g...

 

Authored By - Paramita Das
TCS Cyber Security Practice

Rate this article: 
Average: 4.3 (3 votes)
Article category: