DLL Hijacking (KB 2269637) – the unofficial list

corelanc0d3r August 25, 2010
This article has 46,850 views

hijack This page hosts an unofficial list of applications that are said to be vulnerable to the dll hijacking flaw (or feature or whatever you want to call it). Note that I did not test these applications myself.

If you have found other applications to be vulnerable and want to add them to the list, send me a mail.

Please note that I will not list instances where you have to replace a dll in the application folders.  I do not consider those examples to be valid cases of dll hijacking. (after all, if you have to replace a dll, you might as well replace the executable itself)

You can use the list below to build a GPO / custom adm file /.reg file, and alter the default dll loading behaviour for those applications, as explained here : http://support.microsoft.com/kb/2264107. I highly recommend looking at that page & implement the workaround (in conjunction with other suggested workarounds, such as disabling Webclient service, blocking outbound smb traffic, blocking propfind method on proxy servers, etc)

In addition to this, if you installed the workaround suggested by Microsoft, you can now use the Microsoft FixIt Tool to further refine settings.  You must have installed the CWDIllegalInDllSearch utility prior to using FixIt.

 

How to audit ?

If you want to test your own applications, have a look at this and this post on the metasploit blog. Make sure to grab the latest version of the audit package here or use svn update on your metasploit installation (and then copy the zip file from the external/source folder to the windows system you want to audit)

b0telh0 made a small video, demonstrating the use of the audit kit, and how it can lead to an exploit : http://www.vimeo.com/14442659

Alternatively, you can use DllHijackAuditor. It was developed to overcome some of the limitations of the DllHijackAuditkit. More info about this tool can be found here.  I highly recommend running this tool on your systems as well.

 

Potentially vulnerable applications :

Application Version
>>> ADOBE  
Adobe Captivate (cp, cpt, cprr, cptl, fcz, rd, rdt)
(winpens.dll)		 3
Adobe Dreamweaver
(mfc90loc.dll, mfc90ptb.dll(lang-dependent))		 CS4 (<= 10.0 build 4117)
CS5 (<= 11.0 build 4909)
Adobe ExtendedScript Toolkit
(dwmapi.dll)		 CS5 v3.5.0.52
Adobe Extension Manager (mxi,mxp)
(dwmapi.dll)		 CS5 v5.0.298
Adobe Photoshop
(wintab32.dll)		 CS2
Adobe Fireworks CS3, CS4 and CS5
Adobe Device Central
(qtcf.dll)		 CS5
Adobe Illustrator (ait, eps)
(aires.dll)		 CS4 v14.0.0
Adobe On Location (olproj)
(ibfs32.dll)		 CS4 build 315
Adobe Indesign (indl, indp, indt, inx)
(ibfs32.dll)		 CS4 v6.0
Adobe Premier (pproj, prfpset, prexport, prm, prmp, prpreset, prproj, prsl, prtl, vpr)
(ibfs32.dll)		 Pro CS4 314
Adobe Audition (audition.exe) (cdl, cel, dbl, dwd, pcm, sam, ses, smp, svx, vox)
(assist.dll, ff_theora.dll, quserex.dll, skl_drv_mpg.dll)		 3.0.7283.0 (Win7 x64)
>>> ALLADIN  
Aladdin eToken PKI Client (etc, etcp)
(wintab32.dll)		 5.0.0.65
>>> AlTools  
AlZip (all associated archive file formats)
(mfc90*.dll, propsys.dll)		 <= 8.0.6.3
AlSee (ani, bmp, cal, hdp, jpe, mac, pbm, pcx, pgm, png, psd, ras, tga, tiff)
(patchani.dll)		 <= 6.20.0.1
>>> APPLE  
Safari
(dwmapi.dll)		 <= 5.0.1
Quicktime Player (mac, pic, pntg, qtif)
(cfnetwork.dll, corefoundation.dll)		 <= 7.64.17.13
>>> ARCHICAD  
ArchiCAD
(srcsrv.dll)		 13.0
>>> AVAST  
Avast! (license file .avastlic)
(mfc90loc.dll)		 <= 5.0.594
>>> AVISCREEN  
Aviscreen Pro (just a lnk file to the app will do)
(iccvid.dll, ir32_32.dll, yuv_32.dll, msrle32.dll, msvidc32.dll, msyuv.dll, tsbyuv.dll, iacenc.dll, tsbyuv.dll)		 3.1
>>> BITMANAGEMENT  
BS Contact VRML/X3D (bskey, bswrl, bxwrl, j2k, jp2, vrml, wrl, wrz, x3dvz, x3dv, x3dz, x3d)
(d3dref9.dll, siappdll.dll)		 <= 7.218
>>> BRAVA  
Brava PDF Reader (csf, pdf, sid, tiff, tif, xdl, xps)
(dwmapi.dll)		 <= 3.3.0.18
>>> BREAKPOINT  
HexWorkshop
(pe932d.dll, pe936d.dll, pegrc32d.dll)		 6.0.1.460.3
>>> BS.Player  
BS.player (mp3)
(mfc71loc.dll, ehtrace.dll)		 <= 2.56
>>> CAMTASIA  
Camtasia Studio (cmmp,cmmtpl,camproj,camrec)
(dwmapi.dll)		 <= 6 build 689
Camtasia Studio
(mfc90*.dll)		 7
>>> CDISPLAY  
CDisplay (cba, cbr, cbt, cbz)
(trace32.dll)		 1.8.10
>>> CELFRAME  
CelFrame Office Write (doc)
(java_msci.dll, msci_java.dll)		 Office Suite 2008
CelFrame Office Spreadsheet (xls)
(java_msci.dll, msci_java.dll)		 Office Suite 2008
CelFrame Office Publisher (sla)
(wintab32.dll)		 Office Suite 2008
CelFrame Office Draw (odg)
((java_msci.dll, msci_java.dll)		 Office Suite 2008
CelFrame Office Photo Album (plx)
(wintab32.dll)		 Office Suite 2008
>>> CISCO  
Cisco Packet Tracer (pkt, pkz)
(wintab32.dll)		 5.2
>>> CITRIX  
Citrix ICA Client  (ica)
(pncachen.dll, wfapi.dll)		 <= v9.0.32649.0
>>> COREL  
Corel Draw (cmx,csl)
(crlrib.dll)		 <= X3 v13.0.0.576
Corel PhotoPaint (cpt)
(crlrib.dll)		 <= X3 v13.0.0.576
>>> CYBERLINK  
PowerDirector (iso, pdl, p2g, p2i)
(mfc71*.dll)		 7
Power2Go DVD (iso, pdl, p2g, p2i)
(mfc71*.dll)		 6
>>> DAEMON TOOLS  
DAEMON Tools Lite (mdf, mds, mdx)
(mfc80loc.dll)		 4.35.6.0091
>>> DVDFAB  
DVDFab Platinum (dvdfab5, dvdfabplatinum5, dvdfabgold5, dvdfabmobile)
(quserex.dll)		 5.2.3.2
DVDFab (dvdfab6, dvdfab*2*, dbdfabfilemover)
(dwmapi.dll,mfc90*.dll,nvcuda.dll,quserex.dll)		 7.0.4.0
>>> E-PRESS  
E-Press ONE Office Author (psw)
(java_mcsi.dll, mcsi_java.dll)		  
E-Press ONE Office E-NoteTaker (txt)
(mfc71*.dll)		  
E-Press ONE Office E-Zip (rar, tar)
(mfc71*.dll)		  
>>> GDOC  
gDoc Fusion (dwfx, jtx, pdf, xps)
(wintab32.dll, ssleay32.dll)		 <= 2.5.1
>>> GUIDANCE  
Encase (endump)
(rsaenh.dll)		 <= 6.17.0.90
>>> ETTERCAP <= NG 0.7.3
Ettercap
(wpcap.dll)		  
>>> EZBSYSTEMS  
Ultra ISO
(daemon.dll)		 Premium 9.36
>>> FORENSIC TOOLKIT  
Forensic Toolkit (ftk) <= v1.8.1.6
>>> FOTOBOOK  
Fotobook Editor (dtp)
(fwpuclnt.dll)		 5.0 v2.8.0.1
>>> GFI  
GFI Backup (gbc,gbt)
(armaccess.dll)		 2009 Home Edition
>>> GILLES VOLLANT  
WinImage (bzw, dsk, img, imz, iso, vfd, wil, wlz)
(wnaspi32.dll)		 8.0.0.8000 (win7 x64)
>>> GOOGLE  
Google Chrome
(chrome.dll)		 latest
Google Earth (kmz)
(quserex.dll)		 <= v5.1.3535.3218
>>> HTTRACK  
WinHTTrack Website Copier (whtt)
(mfc71enu.dll, mfc71loc.dll)		 3.43-7
>>> IBM  
Lotus Notes client (ndl,ns2,ns3,nsf,nsg,nsh,ntf)
(kernel32.dll)		 5.0.12
IBM Rational License Key Administrator (upd)
(ibfs32.dll)		 < 7.0.0.0 (fixed in 7.0.0.0)
Lotus Symphony Office Suite (odm, odt, otp, stc, stw, sxg, sxw)
(eclipse_1114.dll)		 <= 3 beta 4
>>> IDM COMPUTER SOLUTIONS  
UltraEdit (bin, cpp, css, c, dat, hpp, html, h, ini, java, log, mak, php, prj, txt, xml)
(dwmapi.dll)		 <= 16.10.0.1036
>>> INKSCAPE  
Inkscape (svgz)
(quserex.dll)		 <= 0.48.0 r9654
>>> INTERVIDEO  
Intervideo WinDVD
(cpqdvd.dll)		 5
>>> INTUIT  
Quickbooks (des,qbo,qpg)
(dbicudtx11.dll, mfc90enu.dll, mfc90loc.dll)		 Pro 2010
>>> IZARC  
IZArc (all archive formats)
(ztv7z.dll)		 <= 4.1.2
>>> JUNIPER / NCP  
NCP Secure Client (pcf, spd, wge, wgx)
(dvccsabase002.dll, conman.dll, kmpapi32.dll)		 <= 9.23.017
NCP Secure Entry Client (pcf, spd, wge, wgx)
(conman.dll, dvccsabase002.dll, kmpapi32.dll, ncpmon2.dll)		 <= 9.23.017
>>> KEEPASS  
KeePass Password Safe (kdb)
(bcrypt.dll)		 <= 1.15
(fixed in 1.18)
KeePass Password Safe (kdbx)
(dwmapi.dll, bcrypt.dll)		 <= 2.12
(fixed in 2.13)
>>> KINETI  
Kineti Count (kcp)
(dwmapi.dll)		 1.0 beta
>>> KINGSOFT  
Kingsoft Office Writer (doc, rtf)
(plgpf.dll)		 2010
Kingsoft Office Presentation (ppt)
(lpgpf.dll)		 2010
Kingsoft Office Spreadsheets (xls)
(plgpf.dll)		 2010
>>> MAXTHON  
Maxthon Browser (htm, html, mhtml)
(dwmapi.dll)		 2.5.15.1000 Unicode
>>> MEDIAMONKEY  
Mediamonkey (apl, fla, m4b, mmip, mp+, mpp)
(dwmapi.dll)		 3.2.0.1294
>>> MEDIA PLAYER  
Mediaplayer Classic mpc (all formats)
(iacenc.dll)		 <= 1.3.2189.0
Media Player Classic (3gp, 3gp2, flv, m4b, m4p, m4v, mp4, spl)
(ehtrace.dll, iacenc.dll)		 <= v6.4.9.x
>>> MICROCHIP  
mplab IDE (mcp,mcw)
(mfc71*.dll)		 8.43
>>> MICROSOFT  
MS Powerpoint (odp,pot,potm,pptx,ppt,ppa,pps,ppsm,ppsx,pptm,pwz,sldm,sldx)
(2003 : ophookse4.dll)
(pptimpconv.dll, pp7x32.dll,rpawinet.dll) – verified on 32 & 64bit		 2003
2007
2010
MS Word (docx)
(rpawinet.dll)		 2007
MS Virtual PC (vmc)
(midimap.dll)		 2007
Ms Visio (vtx – 2003, vss – 2010)
(2003 – mfc71enu.dll, 2010 – dwmapi.dll)		 2003
2010
MS Office Groove (wav, p7c)
(mso.dll)		 2007
MS Windows Mail (nws)
(wab32res.dll)		  
MS Windows Live Email (eml,rss)
(dwmapi.dll, peerdist.dll)		 <= 14.0.8089.726
MS Movie Maker (flv, icon, mkv, mqv, mswmn, ogg, qt, wlmp)
(hhctrl.ocx)		 <= 2.6.4038.0
MS Vista Backup Manager (.wbcat)
(fveapi.dll)		  
MS Internet Connection Signup Wizard
(smmscrpt.dll)		 latest
MS Internet Communication Settings (isp)
(schannel.dll)		 latest
MS Group Convertor (grp)
(imm.dll)		 latest
MS Clip Organizer (mpf)
(twcgst.dll)		 <= 11.8164.8324 (XP SP3)
MS Clip Book Viewer
(mfaphook.dll)		  
MS Snapshot viewer (snp)
(mfc71enu.dll, mfc71loc.dll)		 11
Windows Program Group / grpconv.exe (grp)
(imm.dll)		 latest
MS Windows Address Book wab.exe/Contacts (wab, p7c, contact, group, vcf)
(wab32res.dll)		 XP, Vista
silently patched on Win7
MS RDP Client (rdp)
(dwmapi.dll – Win7, ieframe.dll – XPSP3)		 v6.1.7600.16385 (Win7)
v6.0.6001.18000 (XP SP3)
MS Visual Studio devenv.exe (cur, rs, rct, res)
(NULL.dll)		 2008
wscript (jse) / (js, vbs)
(wshfra.dll) (traceapp.dll)		 XP version
MS Windows Media Encoder (prx)
(wmerrorenu.dll, winietenu.dll, asferrorenu.dll)		 9.00.00.2980
MS ATL Trace Tool (atltracetool8.exe) (trc)
(dwmapi.dll)		 10.0.30319.1
MS DirectShow SDK Filter Graph Editor (grf)
(ehtrace.dll, measure.dll)		 10.0.0.0 (Win7 x64)
MS Help & Support Center
(wshfra.dll)		  
MS Live Writer (wpost)
(peerdist.dll)		 <= 14.0.8089.726
>>> MOOVIDA  
Moovida Media Player (f4v, flv, img, dv)
(libc.dll, quserex.dll)		 <= 2.0.0.15
>>> MOZILLA  
Firefox (htm, html, jtx, mfp, shtml, xaml)
(dwmapi.dll)		 <= 3.6.8
(fixed in 3.6.9 and 3.5.12)
Mozilla Thunderbird (eml,html)
(dwmapi.dll)		 3.1.2 (fixed in 3.1.3)
>>> MUVEE  
Muvee Reveal (rvl)
(peerdist.dll)		 7.0.43 build 11502
>>> NETSTUMBLER  
NetStumbler (ns1)
(mfc71enu.dll, mfc71loc.dll)		 0.4.0
>>> NITRO  
Nitro PDF Reader (pdf)
(dwmapi.dll, nprender.dll)		 fixed in 1.3
>>> NOKIA  
Nokia Suite ContentCopier
(wintab32.dll)		  
Nokia Suite Communication Centre
(wintab32.dll)		  
>>> NOTEPAD++  
Notepad++ (shtml, css, inc, inf, ini, log, scp, wtx, shtml)
(scinlexer.dll)		 5.7 (fixed in 5.8)
>>> NUANCE  
Nuance PDF (pdf)
(dwmapi.dll, exceptiondump.dll)		 <= 6.0
>>> NULLSOFT  
Winamp (669,aac,aiff,amf,au,avr,b4s,caf,cda)
(wnaspi32.dll, dwmapi.dll)		 5.581
Winamp (b4s, m3u8, m3u, pls)
(wnaspi32.dl)		 5.5.8.2985 (Win7 x64)
>>> NVIDIA  
NVidia Driver (tvp)
(nview.dll)		 latest
>>> OMNIPEEK  
Omnipeek Personal (pkt, wac)
(mfc71loc.dll)		 4.1
>>> OPERA  
Opera (htm, html, mht, mhtml, xht, xhtm, xhtl)
(dwmapi.dll)		 <= 10.61
Opera widgets (wgt)  
>>> ORACLE  
Java Web Start (javaw.exe) (jnlp)
(schannel.dll)		 1.6 update 21
>>> PGP  
PGP Desktop (pgp)
(credssp.dll)		 <= 9.8
PGP Desktop (p12,pem,pgp,prk,prvkr,pubkr,rnd,skr)
(tsp.dll, tvttsp.dll)		 <= 9.10
<= 10.0.0
>>> PIXIA  
Pixia (pxa)
(wintab32.dll)		 3.1j
>>> PUTTY  
putty
(winmm.dll)		 0.60
>>> QT WEB  
QtWeb (htm, html, mhtml, xml)
(wintab32.dll)		 <= 3.3 b043
>>> QCCIS  
Forensic CaseNotes (notes)
(credssp.dll)		 <= 1.3.2010.6
>>> REAL  
Real Player
(wnaspi32.dll)		 <= 1.1.5 build 12.0.0.879
>>> RIM / BLACKBERRY  
Blackberry Desktop Manager
(mapi32x.dll)		 <= 6.0.0 (fixed in 6.0.0.43)
>>> ROXIO  
Roxio Photosuite
(homeutils9.dll)		 9
Roxio MyDVD (dmsd,dmsm)
(homeutils9.dll)		 9
Roxio Creator DE
(homeutils9.dll)		 <= 9.0.116
Roxi Central (c2d,cue,gi,iso,roxio)
(homeutils10.dll, dlaapi_w.dll, sonichttpclient10.dll, tfswapi.dll)		 3.6
>>> SEAMONKEY  
SeaMonkey (html, xml, txt, jpg)
(dwmapi.dll)		 <= 2.0.6 (fixed in 2.0.7)
>>> SI SOFTWARE  
SiSoft Sandra
(dwmapi.dll)		  
>>> SMPLAYER  
SMPlayer
(wintab32.dll)		 0.6.9
>>> STEAM  
Steam Games
(steamgamesupport.dll)		  
>>> SOMUD  
SoMud P2P (torrent)
(wintab32.dll)		 <= 1.2.8
>>> SONY  
Sound Forge Pro
(mtxparhvegaspreview.dll)		 10.0
>>> SORAX  
Sorax PDF Reader (pdf)
(dwmapi.dll)		 <= 2.0
>>> SKYPE  
Skype
(wab32.dll)		 <= 4.2.0.169
>>> SWEETSCAPE  
010 Editor (lsc,bt,hex,s19,s28,s37)
(wintab32.dll)		 3.1.2
>>> TEAMMATE  
Teammate audit mgmt software suite
(mfc71enu.dll)		 v8
>>> TEAMVIEWER  
Teamviewer (tvc, tvs)
(dwmapi.dll)		 <= 5.0.8703
(patched in 5.1.9072)
>>> TECHSMITH  
TechSmith Snagit (.snag)
(dwmapi.dll)		 <= 10 build 788
TechSmith Snagit accessories (results) latest
TechSmith Snagit profiles (snagprof) latest
>>> TORTOISE  
Tortoise SVN (all registered filetypes)
(dwmapi.dll)		 v1.6.10 (b19898)
>>> TRACKER SOFTWARE  
PDFXChange Viewer (pdf)
(wintab32.dll)		 <= 2.0 (b54.0)
>>> ULTRA  
Ultra VNC Viewer (vnc)
(vnclang.dll)		 <= 1.0.6.4
>>> uTORRENT  
uTorrent
(userenv.dll, shfolder.dll, dnsapi.dll, dwmapi.dll, iphlpapi.dll,
dhcpcsvc.dll, dhcpcsvc6.dll, rpcrtremote.dll)
.torrent (plugin_dll.dll)		 <= 2.0.3 / <= 2.0.3
(fixed in 2.0.4 (b21431))
>>> VIDEOLAN  
VLC media player (mp3)
(wintab32.dll)		 <= 1.1.3
(fixed in 1.1.4)
>>> VIRTUAL DJ  
Virtual DJ (mp3)
(hdjapi.dll)		 6.1.2
>>> WINMERGE  
WinMerge
(mfc71*.dll)		 2.12.4
>>> WIRESHARK  
Wireshark (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…)
(airpcap.dll, tcapi.dll)		 <= 1.2.10
(patched in 1.4)
dumpcap (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…)
(airpcap.dll, tcapi.dll)		 <= 1.2.10
(patched in 1.4)

Want to contribute ?

If you want to contribute, send the application name, version,  and file extension to peter.ve[at] corelan.be

Thanks to the people who have contributed so far : EdiStrosar, 0xjudd, xanda, Dinosn, saintanthony, PieterDanhieux, Lofi, Mark Crowther, h4ck3r#47,_coreDump, ikki, diwr, LiquidWorm, Nikhil Mittal, Chris Anderson, FInverse, Chris John Riley, nullthreat, Aung Khant, SafetyFirstXL125, spot, Classity, Jacky Jack, guelfoweb, Kervala, m1k3, Glafkos Charalambous, extraexploit, Nagareshwar Talekar, Anastasios Monachos, Antisecurity, Oliver Wege

Other info

http://support.microsoft.com/kb/2389418

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://support.microsoft.com/kb/2264107

  Copyright secured by Digiprove © 2010 Peter Van Eeckhoutte



Similar/Related posts:

Default ThumbnailExploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode Default ThumbnailSetting up InfoExpress CyberArmor Suite 3.5 Default ThumbnailHITB2012AMS Day 1 – Window Shopping Default ThumbnailCorelan T-Shirt contest – Derbycon 2012 Default ThumbnailFree Tool – Password Generator dll for Visual Studio (and other languages)

Tags:

,

© Corelan Consulting BV. All rights reserved. ​The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.

8 thoughts on “DLL Hijacking (KB 2269637) – the unofficial list”

  1. Pingback: DLL Hijacking Linux (Windows like) « Security et alii
  2. Pingback: Microsoft ships 'Fix-It' for DLL load hijacking attack vector | ZDNet
  3. Pingback: Microsoft DLL Pre-loading ‘Fix-It’ Released « MadMark's Blog

  4. From the change.log of Notepad++ 5.8:

    2. Fix a vulnerability issue: Load ScinLexer.dll with its full path to avoid hijack.

    It would seem we can assume that the dll vulnerability has been addressed.

Comments are closed.