Monday, August 30, 2010

A summary of DLL hijacking - what did I do...

Workaround 1
1. Install the patch 2264107 and set CWDIllegalInDllSearch=0xFFFFFFFF
Could mitigate the risk to very low level.
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). May break some applications. Potential affected software list could be found in the attachment: “Potentially vulnerable applications.docx”. you can also find it online:
Workaround 2
2 .Install the patch 2264107 and set CWDIllegalInDllSearch=1
Prevent an application from loading a library from a WebDAV location.
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). Still vulnerable for Remote file share.
Workaround 3
3. Install the patch 2264107 and set CWDIllegalInDllSearch=2
Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). Cannot prevent the local dll attack.
Workaround 4
4. Block any outbound connection to a smb/webdav share. Ports are 445 and 135.
Prevent the outside attack.
1). It is not possible to block smb/webdav share in internal network because users need it.

Real world DLL Hijacking samples: (from
1. Using a SMB/WebDav shared folder
This is perhaps the most common way dll hijacking is being used, probably because it can be exploited remotely. It works by putting together a malicious dll and a clean file that triggers it inside a share and then making your target open this clean file. Remember a shared folder link always starts with double slashes like \\ 1.

1). Attacker sends a shared folder link to a victim. Victim opens and sees some .html files and double-clicks one of them. When a vulnerable browser or application opens this file it loads a dll directly from this share, and victim is now infected.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.

2). Attacker posts a link in a forum that looks like an http link but redirects victim to a shared folder. Victim opens a simple .pdf file and gets infected.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.

3). Attacker gains access to a trusty website and puts iframes or redirects to his share. Victim trusts this site and opens an mp3 file inside the shared folder and… gets infected as well.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.

4). Attacker uses the .lnk bug or any browser vulnerability together with any of above examples and thus increase his infect rate.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.
5). Inside attacker put a clean file and a malicious dll to internal file share.

Workaround: 1 or 3.
2. A compressed package (.zip, .tar.gz, .rar etc)
This vector can be exploited by putting together a bunch of clean files and a malicious dll inside a compressed folder/package. Target will extract these files and open one of them, getting attacker’s dll loaded.
1). Attacker compresses 30 jpg pictures and a dll in a zip file. Victim extracts everything to a folder and double-clicks one of the pictures. Infected.
1). Workaround 1.
2). Education: Before opening any kind of file, specially downloaded from the internet, check if there’s any dll file in the same directory. Don’t forget to enable show hidden files and show all extensions on your Folder Options. It’s also recommended to move only the files you need to open to another directory created by you. This should make you safe.

3. Torrents
This one is kind of nasty and can be very effective to contaminate large amounts of people. A torrent can contain large numbers of files and can be used to get a malicious dll downloaded together with clean files without being noticed. This is very dangerous, especially if a big torrent tracker or database can be compromised.
1). Attacker posts a custom torrent in a public tracker, which contains a pack of mp3′s and a malicious dll. Victim goes listen it’s new song album and get infected.
2). Attacker gains admin access to a torrent database (this actually happened to ThePirateBay not so long ago) and changes a legitimate high-traffic torrent for an infected one. This could cause a massive infection in a matter of minutes.
Workaround: Do not allow BT and P2P on the perimeter firewall.

4. Exploiting multiple application hijacks
Increasing attack success rate for putting multiple dlls to exploit the same file type.
1). Attacker shares a folder which contains a bunch of .avi files and three malicious dlls: one for VLC, other for MediaPlayer Classic and, finally, the last one for Winamp. Attacker can now exploit three apps in the same attack, increasing the chance of victim getting infected.

Workaround: Combine workaround 1 and 4. Or  Combine Workaround 3 and 4.

Friday, August 20, 2010

IE 8 Certificate error and trusted sites grayed out

The problem happened after users started using Windows 7 and IE 8. Some users complained that they cannot access some secure websites especially Self-Signed Certificate websites. With Windows XP and IE 7, they could bypass the Self signed Certificate warning by just clicking the "Continue to this website (not recommended)" link. But now, the link doesn't show up anymore, the only option is "Click here to close this webpage". In addition, the local and trusted sites are grayed out. You can't even add sites to these zones.

After spent hours searching in Google, I was still no lucky. I’ve tried all the solutions that posted online:

1. Clear the boxes for: "Check for publisher's certificate revocation" and "Check for server certificate revocation” in IE security setting.

2. Update for Root Certificates from Microsoft Website.

3. Import the website certificate to trusted root certificates.

4. Modify the Registry key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

Unfortunately none of the above solutions worked for me. I thought I must miss something. Then I realized I might need to look at the local group policy. I didn't consider the group policy because only some computers had the problem, the others were working fine, and they are in the same OU and have the same global group policy.

After I dug into the local group policy, I finally solved the problem:

1. Close all the IE windows.
2. Run gpedit.msc
3. Navigate to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer ->Internet Control Panel
4. Set “Prevent ignoring Certificate errors” to “Disabled”. Now the “Continue to this website (not recommended)” Link should show up.
5. Navigate to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer ->Internet Control Panel -> Security Page
6. Set “Site to Zone Assignment list” to “Disabled”. This will allow you to modify the trusted list.
7. Open your IE and enjoy the freedom.

Friday, August 13, 2010

Open command windows here (DOS is Here)

It would be very handy if you can open a dos command window in the folder that you are currently borrowing by right click the folder icon. Windows 7 does provide this function, but it is kind of “hidden”. You have to press the Shift key, in the meantime, right click the folder icon, you will see the “secret” option “Open command windows here”.

How about Windows XP?

No, no secret option here, however, you can use registry key. Here is the code:

Windows Registry Editor Version 5.00

@="Open command windows here"

@="C:\\windows\\SYSTEM32\\cmd.exe /k cd \"%1\""

@="Open command windows here"

@="C:\\windows\\SYSTEM32\\cmd.exe /k cd \"%1\""

Copy and paste to your notepad; save it as a .reg file; then double click the file to import it to the registry table.

That’s it! You'll get this:


If you don't like it, here is the uninstall code:

Windows Registry Editor Version 5.00


Save it as a .reg file and run it. Just be sure you run it as an Administrator.

Wednesday, August 4, 2010

Install Backtrack 4 to a USB stick

Many reasons that you need to install Backtrack 4 to a USB Stick. For me, I just want to keep the tools up to date. It was a little bit tricky because I was able to install it to a USB Stick, but it still acted like “Live CD”, meaning every change is gone after I reboot it.

But now it becomes very easy because I found this great video:

Just make sure you have a 8G USB stick, because a 4G USB stick will only have 300M free space after the installation.

Thursday, March 11, 2010

Uncontrollable Zooming in Microsoft Word and IE

The Dell Latitude D630 laptop I was using has a very strange behaviour, when I connect it to a projector, and press Fn+F8 to show the screen on both devices, word zooms to 500% and stay there, whatever I change zooming setting, it goes back to 500%. Same as IE. I have to reboot the laptop to solve this problem, but when I press Fn+F8, it happens again. The strange thing is, if I don’t connect it to a projector, everything is fine, even I press Fn+F8. And I couldn’t reproduce the problem in another Dell laptop.

It really annoys me because I cannot use it for presentation. I decided to find out the reason. I believe there is a process causing this problem, I killed the suspect processes with Process Explorer 11.33 ( and finally found out it is iType.exe that causes the problem.

Here is detail of iType.exe:

Once I kill the process, everything back to normal.

Saturday, January 23, 2010

Running Microsoft Baseline Security Analyzer (MBSA) command line

You may already familiar with Microsoft Baseline Security Analyzer (MBSA) GUI, but how about the MBSA command line?

You get at least 2 benefits from the MBSA command line

1. If you want to scan the remote computers that are not part of your domain, MBSA GUI won’t help you, at least I couldn’t find any option to do it. In this situation, MBSA command line comes in place.

2. You can easily schedule MBSA Command line running at midnight to scan a range of computers, and view the reports with a cup of coffee next morning.

The format of MBSA command line is:

MBSACLI [/target /r /d domain] [/n option] [/o file] [/qp] [/qe] [/qr] [/qt] [/listfile file] [/xmlout] [/wa
/wi] [/catalog file] [/nvc] [/ia] [/mu] [/nd] [/rd directory] [/?][/u username /p password]

For example, if you want to scan an IP mbsacli /target /u administrator /p password

Enter “mbsacli /?” for more details.

Something you have to be aware:

1. MBSA Command line need an offline security update signature to perform a scan, the file name is MBSA GUI can automatically download it and save it in “C:\Documents and Settings\\Local Settings\Application Data\Microsoft\MBSA\2.1.1\Cache\” (depends on your MBSA installation) , but if you haven’t run the GUI for a long time, you can download the latest signature from here I normally save it in a temporary folder, then use /category parameter to specify the file location: mbsacli /target /catalog c:\temp\ /u administrator /p password

2. The cons of this command line is the username and password is in the plain text, you have to change your password after you finish a scan.

3. The output of MBSA command line is ugly, however, you can view the report from MBSA GUI, it is user friendly and pretty beautiful.

4. The version of MBSA we are talking here is 2.1.1, released on Nov 4, 2009. You can download it from here:

Monday, January 18, 2010

VPN Client for Windows 7 Enterprise 64bit

Just upgraded my home computer to Windows 7 Enterprise 64bit, I suddenly found the Cisco VPN Client stop working, I google it, following the instructions that I found in some websites, but none of them were working. Finally I found this website, I downloaded the Shrew Soft VPN Client 2.1.5, simply import the .pcf file, and it works like a charm!