===================================================================== CERT-Renater Note d'Information No. 2010/VULN322 _____________________________________________________________________ DATE : 24/08/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Windows. ====================================================================== http://www.microsoft.com/technet/security/advisory/2269637.mspx ______________________________________________________________________ Microsoft Security Advisory (2269637) Insecure Library Loading Could Allow Remote Code Execution Published: August 23, 2010 Version: 1.0 General Information Executive Summary Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected. In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems. Mitigating Factors: * This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks. * For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. * The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability. Affected and Non-Affected Software Microsoft is investigating whether any of its own applications are affected by insecure library loading vulnerabilities and will take appropriate action to protect its customers. Workarounds Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality: Disable loading of libraries from WebDAV and remote network shares Note This workaround requires installation of the tool described in Microsoft Knowledge Base Article 2264107. Microsoft has released a tool which allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis. Customers who are informed by their vendor of an application being vulnerable can use this tool to help protect against attempts to exploit this issue. Disable the WebClient service Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet. To disable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Disabled. If the service is running, click Stop. 4. Click OK and exit the management application. Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. How to undo the workaround. To re-enable the WebClient Service, follow these steps: 1. Click Start, click Run, type Services.msc and then click OK. 2. Right-click WebClient service and select Properties. 3. Change the Startup type to Automatic. If the service is not running, click Start. 4. Click OK and exit the management application. Block TCP ports 139 and 445 at the firewall These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see the TechNet article, TCP and UDP Port Assignments. Impact of workaround. Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below: Applications that use SMB (CIFS) Applications that use mailslots or named pipes (RPC over SMB) Server (File and Print Sharing) Group Policy Net Logon Distributed File System (DFS) Terminal Server Licensing Print Spooler Computer Browser Remote Procedure Call Locator Fax Service Indexing Service Performance Logs and Alerts Systems Management Server License Logging Service How to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================