First line windows DLL hijacking mitigation

The questions have started rolling in : how to stop the recent vulnerability discovered in Windows applications termed “Windows DLL hijaking”. This is quite a serious exploit, considering the ease of use of the tools already written to exploit this, and the huge number of applications found to be vulnerable. Add to that the difficulty of a “silver bullet” patch, and you have a serious mess on your hands.

The best explanation for the vulnerability I found was through this link:

http://isc.sans.edu/diary.html?storyid=9445

The short version: most application writers write relative paths to DLL files, and if the application does not find this DLL files (like a windows manager DDL found in vista but not XP), it will look in non-secure locations for this DLL file, which can be exploited by hackers.

As I said, there isn’t a silver bullet fix, but you can try mitigate simple “drive-by” attacks quite easily. Again, it wont stop a seriously determined attacker, but it will stop the script kiddies and nuisances. The exploit depends on a compromised location. Now, this usually means compromised USB sticks, SMB file shares and WebDAV (web folders). Focusing on the network side, it’s quite easy to block SMB file shares via port filtering, and all unauthorised file sharing should be blocked. The problem is with WebFolders, since WebDAV uses port 80/443, same as http/s, which means simple port filtering is a no-go because all web traffic will be blocked. So we need a bit of Layer 7 filtering here. Specifically, if you block the “PROPFIND” HTTP method, which is used only by WebDAV, you can stop the transaction from happening. There are a variety of ways to do this.

With bluecoat, it’s quite simple. In the Policy Manger, add a web access layer that denies the PROPFIND webdav method:

dll_bluecoat

With sonicwall, this is a bit more involving but simple none the less. You will need an application firewall capable unit. Define an application object that includes the PROPFIND:

dll_sonicwall1

Then write a policy which drops any traffic matching the above:

dll_sonicwall2

From the free section, UNTANGLE has regex matching, so you can implement something similar to what sonicwall has. ENDIAN has an inbuilt IPS using SNORT, which means you can write a custom rule to build the above. In the simplest of the simplest, you can simply write a linux iptable rule to block this, along the lines of:

iptables -A INPUT -m string –string ‘propfind’ -j DROP –algo bm

In all three cases, the WebDAV was blocked. Be aware though, as I said this is first-line defence. Especially in the case of regex matching and iptables, these methods can be defeated by IDS evasion techniques, which is why somebody really determined will break through this. Proxies make it harder, and eventually I think the firewall vendors will update their IPS rules to reflect this threat, which means it will be harder to evade since most employ IP re-assembly techniques.

PS just to show how easy this exploit is, check out this video (this is done over an SMB share, could easily be done over webdav):