[VIM] DLL hell: 2010
jericho at attrition.org
Fri Aug 27 13:39:36 CDT 2010
: Anybody giving thought to what they will do if / when every single vuln
: that's affected by DLL hijacking / library loading is actually reported?
: Maybe it's worse for CVE because we have a "CVE-10K" problem (i.e. what
: to do if we hit CVE-yyyy-9999) but at some point one has to wonder about
: the usability of VDBs if they're completely swamped by this issue.
We are adding them as normal, and abstracting per application 99% of the
time since there are two big factors that change with each; the affected
library(ies) and the types of file a user can open to trigger it.
: It's got to be on the order of hundreds if not thousands of potentially
: vulnerable apps. Apparently exploit-db has given up doing individual
: records for them.
I was telling Carsten last night that I expect a big wave of them, that
we had only seen the tip of the iceberg. However, I am really surprised
that F-D hasn't been flooded with them yet and suggests that maybe it
won't be as big as we realize. Perhaps even those who favor low hanging
fruit think it is too low? On the other hand, i'd throw down a few dollars
betting that we will see at least one mega-report listing hundreds of
vulnerable applications. I imagine it wouldn't take much to develop a
program that systematically checks all programs on a computer and produces
a report of DLLs that are subject to the issue.
Carsten also brought up the point of false positives in the reports and
how they are growing. Last night, noticed one on Exploit-DB that they
confirmed as valid but 'step 2' speaks volumes:
http://exploit-db.com/exploits/14793/. We also had a discussion about
another (PuTTY) and if it was valid. I posited that if I could write a DLL
into the same directory as putty.exe, why not just replace the .exe. He
tested and confirmed that on XP, a user could not overwrite another user's
file, but could write into the directory it was installed in. That makes
the PuTTY posting valid (exploit-db 14796).
Also ran into another where the vendor was told "your product is
vulnerable to this". The vendor realized that an older version of the
product was (technically), the current product was not, and that the old
version was only vulnerable because it used QT which is vulnerable.
I believe that we will keep seeing these, but perhaps not as fast as I
thought. I'd imagine we're also going to see several more of these false
reports, and they may be more prone to being missed because every VDB is
under extra strain keeping up with the flood.
More information about the VIM