If at first you don't succeed; call it version 1.0
Thursday, December 14, 2006

It has been over a month since my last post regarding the IE7 vulnerability. Thailand is really an amazing place for a honeymoon J.
The feedbacks to this issue were mixed. Some said it's an issue that should be fixed as soon as possible, other said it's a minor issue, a hoax or just "old news".

Well, although I did not give the full information in my last post, it is definitely not a hoax, and as far as I know (and Google knows) no one ever informed about this specific issue in Internet Explorer.
As a workaround, Thierry Zoller suggested that the “Enable Safe DLL Search Order” feature should be enabled.
Other informed that the Desktop folder is not in the user’s PATH by default. While this is true, the behavior of the “DLL Search Order” (when it’s disabled) is to look for the DLL in the current directory, right after the Internet Explorer’s directory. As most users execute Internet Explorer from the Desktop, the current directory will be of course the user’s Desktop (see screenshot below).

The following DLL file names can be used to exploit the IE7 DLL-load hijacking vulnerability:
• sqmapi.dll
• imageres.dll
• schannel.dll

A Proof-of-Concept code for this vulnerability can be found at milw0rm.



Thursday, December 14, 2006 9:36:01 AM UTC | Comments [7] | Security#
Friday, December 15, 2006 4:01:25 PM UTC
I built it (you need to prefix those LPCWSTR string literals with a "L") and tried it and it doesn't load anything. I launched IE7 from the desktop, CALC is in the right location.
Friday, December 15, 2006 10:45:31 PM UTC
Hi Larry,
Which OS? Are you using a clean installation?
You can try using (at your own risk!) a compiled version by downloading it from here: http://aviv.raffon.net/content/binary/ie7.dll
Don't forget to rename it to one of the file names mentioned above.

Sysinternals' Process Monitor (or FileMon) can be usefull too, in order to check if your machine is vulnerable. (http://www.microsoft.com/technet/sysinternals)
Saturday, December 16, 2006 2:17:26 AM UTC
I was using XP SP2. I don't think the latest series of patches were applied when I did the testing; I did that later today. But it was patched up as of a few days ago. I think I'll decline downloading the binary version. You can download mine from http://www.larryseltzer.com/crack/_sqmapi.dll
Saturday, December 16, 2006 7:30:22 AM UTC
it worked perfectly for me. any tips to making it execute two commands like...

"net user x x /add | net localgroup administrators x /add"

something isnt parsing correctly and throws a net error

Sunday, December 17, 2006 10:53:50 PM UTC
After further testing I have been able to get it to execute some, not consistently. Aviv and I have been e-mailing and can't really tell why it's not reliable, but when it fails IE isn't attempting to load the DLL.
Saturday, April 21, 2007 4:46:30 PM UTC
i love thailand
Wednesday, September 12, 2007 3:08:57 PM UTC
According to the list this should not be the case as the PATH statemetn is checked ONLY if every other paths have been already searched for that DLL, (I have seen this too), so either the list offered on the MS site is wrong or?
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.