The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability note 9879

Windows: code execution via DLL Preload

Synthesis of the vulnerability

An attacker can use a malicious DLL in order to execute code in the context of the targeted application.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows NT, Windows Vista, Windows XP.
Severity of this bulletin: 2/4.
Consequences of an intrusion: user access/rights.
Hacker's origin: user account.
Creation date: 25/08/2010.
Références of this threat: 2269637, VIGILANCE-VUL-9879, VU#707943.

Description of the vulnerability

An application can use several DLL libraries (Dynamic Link library).

When an application uses a function of a DLL, it is first loaded via LoadLibrary(), and then the function is called.

If the application does not specify the DLL path, Windows searches the DLL at many places (current directory, system directory, etc.) and loads the first match. When a malicious DLL with the same name is located in the search path, it is thus loaded before the legitimate DLL.

An attacker can therefore place a malicious DLL in a WebDAV of SMB share, and can invite the victim to open a document from this site, in order to execute code in the context of the targeted application.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a system vulnerability database. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.