46,318 views
DLL Hijacking (KB 2269637) – the unofficial list
This page hosts an unofficial list of applications that are said to be vulnerable to the dll hijacking flaw (or feature or whatever you want to call it). Note that I did not test these applications myself.
If you have found other applications to be vulnerable and want to add them to the list, send me a mail.
Please note that I will not list instances where you have to replace a dll in the application folders. I do not consider those examples to be valid cases of dll hijacking. (after all, if you have to replace a dll, you might as well replace the executable itself)
You can use the list below to build a GPO / custom adm file /.reg file, and alter the default dll loading behaviour for those applications, as explained here : http://support.microsoft.com/kb/2264107. I highly recommend looking at that page & implement the workaround (in conjunction with other suggested workarounds, such as disabling Webclient service, blocking outbound smb traffic, blocking propfind method on proxy servers, etc)
In addition to this, if you installed the workaround suggested by Microsoft, you can now use the Microsoft FixIt Tool to further refine settings. You must have installed the CWDIllegalInDllSearch utility prior to using FixIt.
How to audit ?
If you want to test your own applications, have a look at this and this post on the metasploit blog. Make sure to grab the latest version of the audit package here or use svn update on your metasploit installation (and then copy the zip file from the external/source folder to the windows system you want to audit)
b0telh0 made a small video, demonstrating the use of the audit kit, and how it can lead to an exploit : http://www.vimeo.com/14442659
Alternatively, you can use DllHijackAuditor. It was developed to overcome some of the limitations of the DllHijackAuditkit. More info about this tool can be found here. I highly recommend running this tool on your systems as well.
Potentially vulnerable applications :
Application | Version |
>>> ADOBE | |
Adobe Captivate (cp, cpt, cprr, cptl, fcz, rd, rdt) (winpens.dll) |
3 |
Adobe Dreamweaver (mfc90loc.dll, mfc90ptb.dll(lang-dependent)) |
CS4 (<= 10.0 build 4117) CS5 (<= 11.0 build 4909) |
Adobe ExtendedScript Toolkit (dwmapi.dll) |
CS5 v3.5.0.52 |
Adobe Extension Manager (mxi,mxp) (dwmapi.dll) |
CS5 v5.0.298 |
Adobe Photoshop (wintab32.dll) |
CS2 |
Adobe Fireworks | CS3, CS4 and CS5 |
Adobe Device Central (qtcf.dll) |
CS5 |
Adobe Illustrator (ait, eps) (aires.dll) |
CS4 v14.0.0 |
Adobe On Location (olproj) (ibfs32.dll) |
CS4 build 315 |
Adobe Indesign (indl, indp, indt, inx) (ibfs32.dll) |
CS4 v6.0 |
Adobe Premier (pproj, prfpset, prexport, prm, prmp, prpreset, prproj, prsl, prtl, vpr) (ibfs32.dll) |
Pro CS4 314 |
Adobe Audition (audition.exe) (cdl, cel, dbl, dwd, pcm, sam, ses, smp, svx, vox) (assist.dll, ff_theora.dll, quserex.dll, skl_drv_mpg.dll) |
3.0.7283.0 (Win7 x64) |
>>> ALLADIN | |
Aladdin eToken PKI Client (etc, etcp) (wintab32.dll) |
5.0.0.65 |
>>> AlTools | |
AlZip (all associated archive file formats) (mfc90*.dll, propsys.dll) |
<= 8.0.6.3 |
AlSee (ani, bmp, cal, hdp, jpe, mac, pbm, pcx, pgm, png, psd, ras, tga, tiff) (patchani.dll) |
<= 6.20.0.1 |
>>> APPLE | |
Safari (dwmapi.dll) |
<= 5.0.1 |
Quicktime Player (mac, pic, pntg, qtif) (cfnetwork.dll, corefoundation.dll) |
<= 7.64.17.13 |
>>> ARCHICAD | |
ArchiCAD (srcsrv.dll) |
13.0 |
>>> AVAST | |
Avast! (license file .avastlic) (mfc90loc.dll) |
<= 5.0.594 |
>>> AVISCREEN | |
Aviscreen Pro (just a lnk file to the app will do) (iccvid.dll, ir32_32.dll, yuv_32.dll, msrle32.dll, msvidc32.dll, msyuv.dll, tsbyuv.dll, iacenc.dll, tsbyuv.dll) |
3.1 |
>>> BITMANAGEMENT | |
BS Contact VRML/X3D (bskey, bswrl, bxwrl, j2k, jp2, vrml, wrl, wrz, x3dvz, x3dv, x3dz, x3d) (d3dref9.dll, siappdll.dll) |
<= 7.218 |
>>> BRAVA | |
Brava PDF Reader (csf, pdf, sid, tiff, tif, xdl, xps) (dwmapi.dll) |
<= 3.3.0.18 |
>>> BREAKPOINT | |
HexWorkshop (pe932d.dll, pe936d.dll, pegrc32d.dll) |
6.0.1.460.3 |
>>> BS.Player | |
BS.player (mp3) (mfc71loc.dll, ehtrace.dll) |
<= 2.56 |
>>> CAMTASIA | |
Camtasia Studio (cmmp,cmmtpl,camproj,camrec) (dwmapi.dll) |
<= 6 build 689 |
Camtasia Studio (mfc90*.dll) |
7 |
>>> CDISPLAY | |
CDisplay (cba, cbr, cbt, cbz) (trace32.dll) |
1.8.10 |
>>> CELFRAME | |
CelFrame Office Write (doc) (java_msci.dll, msci_java.dll) |
Office Suite 2008 |
CelFrame Office Spreadsheet (xls) (java_msci.dll, msci_java.dll) |
Office Suite 2008 |
CelFrame Office Publisher (sla) (wintab32.dll) |
Office Suite 2008 |
CelFrame Office Draw (odg) ((java_msci.dll, msci_java.dll) |
Office Suite 2008 |
CelFrame Office Photo Album (plx) (wintab32.dll) |
Office Suite 2008 |
>>> CISCO | |
Cisco Packet Tracer (pkt, pkz) (wintab32.dll) |
5.2 |
>>> CITRIX | |
Citrix ICA Client (ica) (pncachen.dll, wfapi.dll) |
<= v9.0.32649.0 |
>>> COREL | |
Corel Draw (cmx,csl) (crlrib.dll) |
<= X3 v13.0.0.576 |
Corel PhotoPaint (cpt) (crlrib.dll) |
<= X3 v13.0.0.576 |
>>> CYBERLINK | |
PowerDirector (iso, pdl, p2g, p2i) (mfc71*.dll) |
7 |
Power2Go DVD (iso, pdl, p2g, p2i) (mfc71*.dll) |
6 |
>>> DAEMON TOOLS | |
DAEMON Tools Lite (mdf, mds, mdx) (mfc80loc.dll) |
4.35.6.0091 |
>>> DVDFAB | |
DVDFab Platinum (dvdfab5, dvdfabplatinum5, dvdfabgold5, dvdfabmobile) (quserex.dll) |
5.2.3.2 |
DVDFab (dvdfab6, dvdfab*2*, dbdfabfilemover) (dwmapi.dll,mfc90*.dll,nvcuda.dll,quserex.dll) |
7.0.4.0 |
>>> E-PRESS | |
E-Press ONE Office Author (psw) (java_mcsi.dll, mcsi_java.dll) |
|
E-Press ONE Office E-NoteTaker (txt) (mfc71*.dll) |
|
E-Press ONE Office E-Zip (rar, tar) (mfc71*.dll) |
|
>>> GDOC | |
gDoc Fusion (dwfx, jtx, pdf, xps) (wintab32.dll, ssleay32.dll) |
<= 2.5.1 |
>>> GUIDANCE | |
Encase (endump) (rsaenh.dll) |
<= 6.17.0.90 |
>>> ETTERCAP | <= NG 0.7.3 |
Ettercap (wpcap.dll) |
|
>>> EZBSYSTEMS | |
Ultra ISO (daemon.dll) |
Premium 9.36 |
>>> FORENSIC TOOLKIT | |
Forensic Toolkit (ftk) | <= v1.8.1.6 |
>>> FOTOBOOK | |
Fotobook Editor (dtp) (fwpuclnt.dll) |
5.0 v2.8.0.1 |
>>> GFI | |
GFI Backup (gbc,gbt) (armaccess.dll) |
2009 Home Edition |
>>> GILLES VOLLANT | |
WinImage (bzw, dsk, img, imz, iso, vfd, wil, wlz) (wnaspi32.dll) |
8.0.0.8000 (win7 x64) |
Google Chrome (chrome.dll) |
latest |
Google Earth (kmz) (quserex.dll) |
<= v5.1.3535.3218 |
>>> HTTRACK | |
WinHTTrack Website Copier (whtt) (mfc71enu.dll, mfc71loc.dll) |
3.43-7 |
>>> IBM | |
Lotus Notes client (ndl,ns2,ns3,nsf,nsg,nsh,ntf) (kernel32.dll) |
5.0.12 |
IBM Rational License Key Administrator (upd) (ibfs32.dll) |
< 7.0.0.0 (fixed in 7.0.0.0) |
Lotus Symphony Office Suite (odm, odt, otp, stc, stw, sxg, sxw) (eclipse_1114.dll) |
<= 3 beta 4 |
>>> IDM COMPUTER SOLUTIONS | |
UltraEdit (bin, cpp, css, c, dat, hpp, html, h, ini, java, log, mak, php, prj, txt, xml) (dwmapi.dll) |
<= 16.10.0.1036 |
>>> INKSCAPE | |
Inkscape (svgz) (quserex.dll) |
<= 0.48.0 r9654 |
>>> INTERVIDEO | |
Intervideo WinDVD (cpqdvd.dll) |
5 |
>>> INTUIT | |
Quickbooks (des,qbo,qpg) (dbicudtx11.dll, mfc90enu.dll, mfc90loc.dll) |
Pro 2010 |
>>> IZARC | |
IZArc (all archive formats) (ztv7z.dll) |
<= 4.1.2 |
>>> JUNIPER / NCP | |
NCP Secure Client (pcf, spd, wge, wgx) (dvccsabase002.dll, conman.dll, kmpapi32.dll) |
<= 9.23.017 |
NCP Secure Entry Client (pcf, spd, wge, wgx) (conman.dll, dvccsabase002.dll, kmpapi32.dll, ncpmon2.dll) |
<= 9.23.017 |
>>> KEEPASS | |
KeePass Password Safe (kdb) (bcrypt.dll) |
<= 1.15 (fixed in 1.18) |
KeePass Password Safe (kdbx) (dwmapi.dll, bcrypt.dll) |
<= 2.12 (fixed in 2.13) |
>>> KINETI | |
Kineti Count (kcp) (dwmapi.dll) |
1.0 beta |
>>> KINGSOFT | |
Kingsoft Office Writer (doc, rtf) (plgpf.dll) |
2010 |
Kingsoft Office Presentation (ppt) (lpgpf.dll) |
2010 |
Kingsoft Office Spreadsheets (xls) (plgpf.dll) |
2010 |
>>> MAXTHON | |
Maxthon Browser (htm, html, mhtml) (dwmapi.dll) |
2.5.15.1000 Unicode |
>>> MEDIAMONKEY | |
Mediamonkey (apl, fla, m4b, mmip, mp+, mpp) (dwmapi.dll) |
3.2.0.1294 |
>>> MEDIA PLAYER | |
Mediaplayer Classic mpc (all formats) (iacenc.dll) |
<= 1.3.2189.0 |
Media Player Classic (3gp, 3gp2, flv, m4b, m4p, m4v, mp4, spl) (ehtrace.dll, iacenc.dll) |
<= v6.4.9.x |
>>> MICROCHIP | |
mplab IDE (mcp,mcw) (mfc71*.dll) |
8.43 |
>>> MICROSOFT | |
MS Powerpoint (odp,pot,potm,pptx,ppt,ppa,pps,ppsm,ppsx,pptm,pwz,sldm,sldx) (2003 : ophookse4.dll) (pptimpconv.dll, pp7x32.dll,rpawinet.dll) – verified on 32 & 64bit |
2003 2007 2010 |
MS Word (docx) (rpawinet.dll) |
2007 |
MS Virtual PC (vmc) (midimap.dll) |
2007 |
Ms Visio (vtx – 2003, vss – 2010) (2003 – mfc71enu.dll, 2010 – dwmapi.dll) |
2003 2010 |
MS Office Groove (wav, p7c) (mso.dll) |
2007 |
MS Windows Mail (nws) (wab32res.dll) |
|
MS Windows Live Email (eml,rss) (dwmapi.dll, peerdist.dll) |
<= 14.0.8089.726 |
MS Movie Maker (flv, icon, mkv, mqv, mswmn, ogg, qt, wlmp) (hhctrl.ocx) |
<= 2.6.4038.0 |
MS Vista Backup Manager (.wbcat) (fveapi.dll) |
|
MS Internet Connection Signup Wizard (smmscrpt.dll) |
latest |
MS Internet Communication Settings (isp) (schannel.dll) |
latest |
MS Group Convertor (grp) (imm.dll) |
latest |
MS Clip Organizer (mpf) (twcgst.dll) |
<= 11.8164.8324 (XP SP3) |
MS Clip Book Viewer (mfaphook.dll) |
|
MS Snapshot viewer (snp) (mfc71enu.dll, mfc71loc.dll) |
11 |
Windows Program Group / grpconv.exe (grp) (imm.dll) |
latest |
MS Windows Address Book wab.exe/Contacts (wab, p7c, contact, group, vcf) (wab32res.dll) |
XP, Vista silently patched on Win7 |
MS RDP Client (rdp) (dwmapi.dll – Win7, ieframe.dll – XPSP3) |
v6.1.7600.16385 (Win7) v6.0.6001.18000 (XP SP3) |
MS Visual Studio devenv.exe (cur, rs, rct, res) (NULL.dll) |
2008 |
wscript (jse) / (js, vbs) (wshfra.dll) (traceapp.dll) |
XP version |
MS Windows Media Encoder (prx) (wmerrorenu.dll, winietenu.dll, asferrorenu.dll) |
9.00.00.2980 |
MS ATL Trace Tool (atltracetool8.exe) (trc) (dwmapi.dll) |
10.0.30319.1 |
MS DirectShow SDK Filter Graph Editor (grf) (ehtrace.dll, measure.dll) |
10.0.0.0 (Win7 x64) |
MS Help & Support Center (wshfra.dll) |
|
MS Live Writer (wpost) (peerdist.dll) |
<= 14.0.8089.726 |
>>> MOOVIDA | |
Moovida Media Player (f4v, flv, img, dv) (libc.dll, quserex.dll) |
<= 2.0.0.15 |
>>> MOZILLA | |
Firefox (htm, html, jtx, mfp, shtml, xaml) (dwmapi.dll) |
<= 3.6.8 (fixed in 3.6.9 and 3.5.12) |
Mozilla Thunderbird (eml,html) (dwmapi.dll) |
3.1.2 (fixed in 3.1.3) |
>>> MUVEE | |
Muvee Reveal (rvl) (peerdist.dll) |
7.0.43 build 11502 |
>>> NETSTUMBLER | |
NetStumbler (ns1) (mfc71enu.dll, mfc71loc.dll) |
0.4.0 |
>>> NITRO | |
Nitro PDF Reader (pdf) (dwmapi.dll, nprender.dll) |
fixed in 1.3 |
>>> NOKIA | |
Nokia Suite ContentCopier (wintab32.dll) |
|
Nokia Suite Communication Centre (wintab32.dll) |
|
>>> NOTEPAD++ | |
Notepad++ (shtml, css, inc, inf, ini, log, scp, wtx, shtml) (scinlexer.dll) |
5.7 (fixed in 5.8) |
>>> NUANCE | |
Nuance PDF (pdf) (dwmapi.dll, exceptiondump.dll) |
<= 6.0 |
>>> NULLSOFT | |
Winamp (669,aac,aiff,amf,au,avr,b4s,caf,cda) (wnaspi32.dll, dwmapi.dll) |
5.581 |
Winamp (b4s, m3u8, m3u, pls) (wnaspi32.dl) |
5.5.8.2985 (Win7 x64) |
>>> NVIDIA | |
NVidia Driver (tvp) (nview.dll) |
latest |
>>> OMNIPEEK | |
Omnipeek Personal (pkt, wac) (mfc71loc.dll) |
4.1 |
>>> OPERA | |
Opera (htm, html, mht, mhtml, xht, xhtm, xhtl) (dwmapi.dll) |
<= 10.61 |
Opera widgets (wgt) | |
>>> ORACLE | |
Java Web Start (javaw.exe) (jnlp) (schannel.dll) |
1.6 update 21 |
>>> PGP | |
PGP Desktop (pgp) (credssp.dll) |
<= 9.8 |
PGP Desktop (p12,pem,pgp,prk,prvkr,pubkr,rnd,skr) (tsp.dll, tvttsp.dll) |
<= 9.10 <= 10.0.0 |
>>> PIXIA | |
Pixia (pxa) (wintab32.dll) |
3.1j |
>>> PUTTY | |
putty (winmm.dll) |
0.60 |
>>> QT WEB | |
QtWeb (htm, html, mhtml, xml) (wintab32.dll) |
<= 3.3 b043 |
>>> QCCIS | |
Forensic CaseNotes (notes) (credssp.dll) |
<= 1.3.2010.6 |
>>> REAL | |
Real Player (wnaspi32.dll) |
<= 1.1.5 build 12.0.0.879 |
>>> RIM / BLACKBERRY | |
Blackberry Desktop Manager (mapi32x.dll) |
<= 6.0.0 (fixed in 6.0.0.43) |
>>> ROXIO | |
Roxio Photosuite (homeutils9.dll) |
9 |
Roxio MyDVD (dmsd,dmsm) (homeutils9.dll) |
9 |
Roxio Creator DE (homeutils9.dll) |
<= 9.0.116 |
Roxi Central (c2d,cue,gi,iso,roxio) (homeutils10.dll, dlaapi_w.dll, sonichttpclient10.dll, tfswapi.dll) |
3.6 |
>>> SEAMONKEY | |
SeaMonkey (html, xml, txt, jpg) (dwmapi.dll) |
<= 2.0.6 (fixed in 2.0.7) |
>>> SI SOFTWARE | |
SiSoft Sandra (dwmapi.dll) |
|
>>> SMPLAYER | |
SMPlayer (wintab32.dll) |
0.6.9 |
>>> STEAM | |
Steam Games (steamgamesupport.dll) |
|
>>> SOMUD | |
SoMud P2P (torrent) (wintab32.dll) |
<= 1.2.8 |
>>> SONY | |
Sound Forge Pro (mtxparhvegaspreview.dll) |
10.0 |
>>> SORAX | |
Sorax PDF Reader (pdf) (dwmapi.dll) |
<= 2.0 |
>>> SKYPE | |
Skype (wab32.dll) |
<= 4.2.0.169 |
>>> SWEETSCAPE | |
010 Editor (lsc,bt,hex,s19,s28,s37) (wintab32.dll) |
3.1.2 |
>>> TEAMMATE | |
Teammate audit mgmt software suite (mfc71enu.dll) |
v8 |
>>> TEAMVIEWER | |
Teamviewer (tvc, tvs) (dwmapi.dll) |
<= 5.0.8703 (patched in 5.1.9072) |
>>> TECHSMITH | |
TechSmith Snagit (.snag) (dwmapi.dll) |
<= 10 build 788 |
TechSmith Snagit accessories (results) | latest |
TechSmith Snagit profiles (snagprof) | latest |
>>> TORTOISE | |
Tortoise SVN (all registered filetypes) (dwmapi.dll) |
v1.6.10 (b19898) |
>>> TRACKER SOFTWARE | |
PDFXChange Viewer (pdf) (wintab32.dll) |
<= 2.0 (b54.0) |
>>> ULTRA | |
Ultra VNC Viewer (vnc) (vnclang.dll) |
<= 1.0.6.4 |
>>> uTORRENT | |
uTorrent (userenv.dll, shfolder.dll, dnsapi.dll, dwmapi.dll, iphlpapi.dll, dhcpcsvc.dll, dhcpcsvc6.dll, rpcrtremote.dll) .torrent (plugin_dll.dll) |
<= 2.0.3 / <= 2.0.3 (fixed in 2.0.4 (b21431)) |
>>> VIDEOLAN | |
VLC media player (mp3) (wintab32.dll) |
<= 1.1.3 (fixed in 1.1.4) |
>>> VIRTUAL DJ | |
Virtual DJ (mp3) (hdjapi.dll) |
6.1.2 |
>>> WINMERGE | |
WinMerge (mfc71*.dll) |
2.12.4 |
>>> WIRESHARK | |
Wireshark (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…) (airpcap.dll, tcapi.dll) |
<= 1.2.10 (patched in 1.4) |
dumpcap (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…) (airpcap.dll, tcapi.dll) |
<= 1.2.10 (patched in 1.4) |
Want to contribute ?
If you want to contribute, send the application name, version, and file extension to peter.ve[at] corelan.be
Thanks to the people who have contributed so far : EdiStrosar, 0xjudd, xanda, Dinosn, saintanthony, PieterDanhieux, Lofi, Mark Crowther, h4ck3r#47,_coreDump, ikki, diwr, LiquidWorm, Nikhil Mittal, Chris Anderson, FInverse, Chris John Riley, nullthreat, Aung Khant, SafetyFirstXL125, spot, Classity, Jacky Jack, guelfoweb, Kervala, m1k3, Glafkos Charalambous, extraexploit, Nagareshwar Talekar, Anastasios Monachos, Antisecurity, Oliver Wege
Other info
http://support.microsoft.com/kb/2389418
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://support.microsoft.com/kb/2264107
Copyright secured by Digiprove © 2010 Peter Van Eeckhoutte
© 2010 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.
Similar/Related posts:
8 Responses to DLL Hijacking (KB 2269637) – the unofficial list
Corelan Training
Check out our schedules page here and sign up for one of our classes now!
Donate
Your donation will help funding server hosting.
Corelan Team Merchandise
Corelan on Slack
You can chat with us and our friends on our Slack workspace:
Pingback: DLL Hijacking Linux (Windows like) « Security et alii
Pingback: Microsoft ships 'Fix-It' for DLL load hijacking attack vector | ZDNet
Pingback: Microsoft DLL Pre-loading ‘Fix-It’ Released « MadMark's Blog