Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


43,743 views

DLL Hijacking (KB 2269637) – the unofficial list

hijack This page hosts an unofficial list of applications that are said to be vulnerable to the dll hijacking flaw (or feature or whatever you want to call it). Note that I did not test these applications myself.

If you have found other applications to be vulnerable and want to add them to the list, send me a mail.

Please note that I will not list instances where you have to replace a dll in the application folders.† I do not consider those examples to be valid cases of dll hijacking. (after all, if you have to replace a dll, you might as well replace the executable itself)

You can use the list below to build a GPO / custom adm file /.reg file, and alter the default dll loading behaviour for those applications, as explained here : http://support.microsoft.com/kb/2264107. I highly recommend looking at that page & implement the workaround (in conjunction with other suggested workarounds, such as disabling Webclient service, blocking outbound smb traffic, blocking propfind method on proxy servers, etc)

In addition to this, if you installed the workaround suggested by Microsoft, you can now use the Microsoft FixIt Tool to further refine settings.† You must have installed the CWDIllegalInDllSearch utility prior to using FixIt.

How to audit ?

If you want to test your own applications, have a look at this and this post on the metasploit blog. Make sure to grab the latest version of the audit package here or use svn update on your metasploit installation (and then copy the zip file from the external/source folder to the windows system you want to audit)

b0telh0 made a small video, demonstrating the use of the audit kit, and how it can lead to an exploit : http://www.vimeo.com/14442659

Alternatively, you can use DllHijackAuditor. It was developed to overcome some of the limitations of the DllHijackAuditkit. More info about this tool can be found here.† I highly recommend running this tool on your systems as well.

Potentially vulnerable applications :

Application Version
>>> ADOBE
Adobe Captivate (cp, cpt, cprr, cptl, fcz, rd, rdt)
(winpens.dll)
3
Adobe Dreamweaver
(mfc90loc.dll, mfc90ptb.dll(lang-dependent))
CS4 (<= 10.0 build 4117)
CS5 (<= 11.0 build 4909)
Adobe ExtendedScript Toolkit
(dwmapi.dll)
CS5 v3.5.0.52
Adobe Extension Manager (mxi,mxp)
(dwmapi.dll)
CS5 v5.0.298
Adobe Photoshop
(wintab32.dll)
CS2
Adobe Fireworks CS3, CS4 and CS5
Adobe Device Central
(qtcf.dll)
CS5
Adobe Illustrator (ait, eps)
(aires.dll)
CS4 v14.0.0
Adobe On Location (olproj)
(ibfs32.dll)
CS4 build 315
Adobe Indesign (indl, indp, indt, inx)
(ibfs32.dll)
CS4 v6.0
Adobe Premier (pproj, prfpset, prexport, prm, prmp, prpreset, prproj, prsl, prtl, vpr)
(ibfs32.dll)
Pro CS4 314
Adobe Audition (audition.exe) (cdl, cel, dbl, dwd, pcm, sam, ses, smp, svx, vox)
(assist.dll, ff_theora.dll, quserex.dll, skl_drv_mpg.dll)
3.0.7283.0 (Win7 x64)
>>> ALLADIN
Aladdin eToken PKI Client (etc, etcp)
(wintab32.dll)
5.0.0.65
>>> AlTools
AlZip (all associated archive file formats)
(mfc90*.dll, propsys.dll)
<= 8.0.6.3
AlSee (ani, bmp, cal, hdp, jpe, mac, pbm, pcx, pgm, png, psd, ras, tga, tiff)
(patchani.dll)
<= 6.20.0.1
>>> APPLE
Safari
(dwmapi.dll)
<= 5.0.1
Quicktime Player (mac, pic, pntg, qtif)
(cfnetwork.dll, corefoundation.dll)
<= 7.64.17.13
>>> ARCHICAD
ArchiCAD
(srcsrv.dll)
13.0
>>> AVAST
Avast! (license file .avastlic)
(mfc90loc.dll)
<= 5.0.594
>>> AVISCREEN
Aviscreen Pro (just a lnk file to the app will do)
(iccvid.dll, ir32_32.dll, yuv_32.dll, msrle32.dll, msvidc32.dll, msyuv.dll, tsbyuv.dll, iacenc.dll, tsbyuv.dll)
3.1
>>> BITMANAGEMENT
BS Contact VRML/X3D (bskey, bswrl, bxwrl, j2k, jp2, vrml, wrl, wrz, x3dvz, x3dv, x3dz, x3d)
(d3dref9.dll, siappdll.dll)
<= 7.218
>>> BRAVA
Brava PDF Reader (csf, pdf, sid, tiff, tif, xdl, xps)
(dwmapi.dll)
<= 3.3.0.18
>>> BREAKPOINT
HexWorkshop
(pe932d.dll, pe936d.dll, pegrc32d.dll)
6.0.1.460.3
>>> BS.Player
BS.player (mp3)
(mfc71loc.dll, ehtrace.dll)
<= 2.56
>>> CAMTASIA
Camtasia Studio (cmmp,cmmtpl,camproj,camrec)
(dwmapi.dll)
<= 6 build 689
Camtasia Studio
(mfc90*.dll)
7
>>> CDISPLAY
CDisplay (cba, cbr, cbt, cbz)
(trace32.dll)
1.8.10
>>> CELFRAME
CelFrame Office Write (doc)
(java_msci.dll, msci_java.dll)
Office Suite 2008
CelFrame Office Spreadsheet (xls)
(java_msci.dll, msci_java.dll)
Office Suite 2008
CelFrame Office Publisher (sla)
(wintab32.dll)
Office Suite 2008
CelFrame Office Draw (odg)
((java_msci.dll, msci_java.dll)
Office Suite 2008
CelFrame Office Photo Album (plx)
(wintab32.dll)
Office Suite 2008
>>> CISCO
Cisco Packet Tracer (pkt, pkz)
(wintab32.dll)
5.2
>>> CITRIX
Citrix ICA Client† (ica)
(pncachen.dll, wfapi.dll)
<= v9.0.32649.0
>>> COREL
Corel Draw (cmx,csl)
(crlrib.dll)
<= X3 v13.0.0.576
Corel PhotoPaint (cpt)
(crlrib.dll)
<= X3 v13.0.0.576
>>> CYBERLINK
PowerDirector (iso, pdl, p2g, p2i)
(mfc71*.dll)
7
Power2Go DVD (iso, pdl, p2g, p2i)
(mfc71*.dll)
6
>>> DAEMON TOOLS
DAEMON Tools Lite (mdf, mds, mdx)
(mfc80loc.dll)
4.35.6.0091
>>> DVDFAB
DVDFab Platinum (dvdfab5, dvdfabplatinum5, dvdfabgold5, dvdfabmobile)
(quserex.dll)
5.2.3.2
DVDFab (dvdfab6, dvdfab*2*, dbdfabfilemover)
(dwmapi.dll,mfc90*.dll,nvcuda.dll,quserex.dll)
7.0.4.0
>>> E-PRESS
E-Press ONE Office Author (psw)
(java_mcsi.dll, mcsi_java.dll)
E-Press ONE Office E-NoteTaker (txt)
(mfc71*.dll)
E-Press ONE Office E-Zip (rar, tar)
(mfc71*.dll)
>>> GDOC
gDoc Fusion (dwfx, jtx, pdf, xps)
(wintab32.dll, ssleay32.dll)
<= 2.5.1
>>> GUIDANCE
Encase (endump)
(rsaenh.dll)
<= 6.17.0.90
>>> ETTERCAP <= NG 0.7.3
Ettercap
(wpcap.dll)
>>> EZBSYSTEMS
Ultra ISO
(daemon.dll)
Premium 9.36
>>> FORENSIC TOOLKIT
Forensic Toolkit (ftk) <= v1.8.1.6
>>> FOTOBOOK
Fotobook Editor (dtp)
(fwpuclnt.dll)
5.0 v2.8.0.1
>>> GFI
GFI Backup (gbc,gbt)
(armaccess.dll)
2009 Home Edition
>>> GILLES VOLLANT
WinImage (bzw, dsk, img, imz, iso, vfd, wil, wlz)
(wnaspi32.dll)
8.0.0.8000 (win7 x64)
>>> GOOGLE
Google Chrome
(chrome.dll)
latest
Google Earth (kmz)
(quserex.dll)
<= v5.1.3535.3218
>>> HTTRACK
WinHTTrack Website Copier (whtt)
(mfc71enu.dll, mfc71loc.dll)
3.43-7
>>> IBM
Lotus Notes client (ndl,ns2,ns3,nsf,nsg,nsh,ntf)
(kernel32.dll)
5.0.12
IBM Rational License Key Administrator (upd)
(ibfs32.dll)
< 7.0.0.0 (fixed in 7.0.0.0)
Lotus Symphony Office Suite (odm, odt, otp, stc, stw, sxg, sxw)
(eclipse_1114.dll)
<= 3 beta 4
>>> IDM COMPUTER SOLUTIONS
UltraEdit (bin, cpp, css, c, dat, hpp, html, h, ini, java, log, mak, php, prj, txt, xml)
(dwmapi.dll)
<= 16.10.0.1036
>>> INKSCAPE
Inkscape (svgz)
(quserex.dll)
<= 0.48.0 r9654
>>> INTERVIDEO
Intervideo WinDVD
(cpqdvd.dll)
5
>>> INTUIT
Quickbooks (des,qbo,qpg)
(dbicudtx11.dll, mfc90enu.dll, mfc90loc.dll)
Pro 2010
>>> IZARC
IZArc (all archive formats)
(ztv7z.dll)
<= 4.1.2
>>> JUNIPER / NCP
NCP Secure Client (pcf, spd, wge, wgx)
(dvccsabase002.dll, conman.dll, kmpapi32.dll)
<= 9.23.017
NCP Secure Entry Client (pcf, spd, wge, wgx)
(conman.dll, dvccsabase002.dll, kmpapi32.dll, ncpmon2.dll)
<= 9.23.017
>>> KEEPASS
KeePass Password Safe (kdb)
(bcrypt.dll)
<= 1.15
(fixed in 1.18)
KeePass Password Safe (kdbx)
(dwmapi.dll, bcrypt.dll)
<= 2.12
(fixed in 2.13)
>>> KINETI
Kineti Count (kcp)
(dwmapi.dll)
1.0 beta
>>> KINGSOFT
Kingsoft Office Writer (doc, rtf)
(plgpf.dll)
2010
Kingsoft Office Presentation (ppt)
(lpgpf.dll)
2010
Kingsoft Office Spreadsheets (xls)
(plgpf.dll)
2010
>>> MAXTHON
Maxthon Browser (htm, html, mhtml)
(dwmapi.dll)
2.5.15.1000 Unicode
>>> MEDIAMONKEY
Mediamonkey (apl, fla, m4b, mmip, mp+, mpp)
(dwmapi.dll)
3.2.0.1294
>>> MEDIA PLAYER
Mediaplayer Classic mpc (all formats)
(iacenc.dll)
<= 1.3.2189.0
Media Player Classic (3gp, 3gp2, flv, m4b, m4p, m4v, mp4, spl)
(ehtrace.dll, iacenc.dll)
<= v6.4.9.x
>>> MICROCHIP
mplab IDE (mcp,mcw)
(mfc71*.dll)
8.43
>>> MICROSOFT
MS Powerpoint (odp,pot,potm,pptx,ppt,ppa,pps,ppsm,ppsx,pptm,pwz,sldm,sldx)
(2003 : ophookse4.dll)
(pptimpconv.dll, pp7x32.dll,rpawinet.dll) – verified on 32 & 64bit
2003
2007
2010
MS Word (docx)
(rpawinet.dll)
2007
MS Virtual PC (vmc)
(midimap.dll)
2007
Ms Visio (vtx – 2003, vss – 2010)
(2003 – mfc71enu.dll, 2010 – dwmapi.dll)
2003
2010
MS Office Groove (wav, p7c)
(mso.dll)
2007
MS Windows Mail (nws)
(wab32res.dll)
MS Windows Live Email (eml,rss)
(dwmapi.dll, peerdist.dll)
<= 14.0.8089.726
MS Movie Maker (flv, icon, mkv, mqv, mswmn, ogg, qt, wlmp)
(hhctrl.ocx)
<= 2.6.4038.0
MS Vista Backup Manager (.wbcat)
(fveapi.dll)
MS Internet Connection Signup Wizard
(smmscrpt.dll)
latest
MS Internet Communication Settings (isp)
(schannel.dll)
latest
MS Group Convertor (grp)
(imm.dll)
latest
MS Clip Organizer (mpf)
(twcgst.dll)
<= 11.8164.8324 (XP SP3)
MS Clip Book Viewer
(mfaphook.dll)
MS Snapshot viewer (snp)
(mfc71enu.dll, mfc71loc.dll)
11
Windows Program Group / grpconv.exe (grp)
(imm.dll)
latest
MS Windows Address Book wab.exe/Contacts (wab, p7c, contact, group, vcf)
(wab32res.dll)
XP, Vista
silently patched on Win7
MS RDP Client (rdp)
(dwmapi.dll – Win7, ieframe.dll – XPSP3)
v6.1.7600.16385 (Win7)
v6.0.6001.18000 (XP SP3)
MS Visual Studio devenv.exe (cur, rs, rct, res)
(NULL.dll)
2008
wscript (jse) / (js, vbs)
(wshfra.dll) (traceapp.dll)
XP version
MS Windows Media Encoder (prx)
(wmerrorenu.dll, winietenu.dll, asferrorenu.dll)
9.00.00.2980
MS ATL Trace Tool (atltracetool8.exe) (trc)
(dwmapi.dll)
10.0.30319.1
MS DirectShow SDK Filter Graph Editor (grf)
(ehtrace.dll, measure.dll)
10.0.0.0 (Win7 x64)
MS Help & Support Center
(wshfra.dll)
MS Live Writer (wpost)
(peerdist.dll)
<= 14.0.8089.726
>>> MOOVIDA
Moovida Media Player (f4v, flv, img, dv)
(libc.dll, quserex.dll)
<= 2.0.0.15
>>> MOZILLA
Firefox (htm, html, jtx, mfp, shtml, xaml)
(dwmapi.dll)
<= 3.6.8
(fixed in 3.6.9 and 3.5.12)
Mozilla Thunderbird (eml,html)
(dwmapi.dll)
3.1.2 (fixed in 3.1.3)
>>> MUVEE
Muvee Reveal (rvl)
(peerdist.dll)
7.0.43 build 11502
>>> NETSTUMBLER
NetStumbler (ns1)
(mfc71enu.dll, mfc71loc.dll)
0.4.0
>>> NITRO
Nitro PDF Reader (pdf)
(dwmapi.dll, nprender.dll)
fixed in 1.3
>>> NOKIA
Nokia Suite ContentCopier
(wintab32.dll)
Nokia Suite Communication Centre
(wintab32.dll)
>>> NOTEPAD++
Notepad++ (shtml, css, inc, inf, ini, log, scp, wtx, shtml)
(scinlexer.dll)
5.7 (fixed in 5.8)
>>> NUANCE
Nuance PDF (pdf)
(dwmapi.dll, exceptiondump.dll)
<= 6.0
>>> NULLSOFT
Winamp (669,aac,aiff,amf,au,avr,b4s,caf,cda)
(wnaspi32.dll, dwmapi.dll)
5.581
Winamp (b4s, m3u8, m3u, pls)
(wnaspi32.dl)
5.5.8.2985 (Win7 x64)
>>> NVIDIA
NVidia Driver (tvp)
(nview.dll)
latest
>>> OMNIPEEK
Omnipeek Personal (pkt, wac)
(mfc71loc.dll)
4.1
>>> OPERA
Opera (htm, html, mht, mhtml, xht, xhtm, xhtl)
(dwmapi.dll)
<= 10.61
Opera widgets (wgt)
>>> ORACLE
Java Web Start (javaw.exe) (jnlp)
(schannel.dll)
1.6 update 21
>>> PGP
PGP Desktop (pgp)
(credssp.dll)
<= 9.8
PGP Desktop (p12,pem,pgp,prk,prvkr,pubkr,rnd,skr)
(tsp.dll, tvttsp.dll)
<= 9.10
<= 10.0.0
>>> PIXIA
Pixia (pxa)
(wintab32.dll)
3.1j
>>> PUTTY
putty
(winmm.dll)
0.60
>>> QT WEB
QtWeb (htm, html, mhtml, xml)
(wintab32.dll)
<= 3.3 b043
>>> QCCIS
Forensic CaseNotes (notes)
(credssp.dll)
<= 1.3.2010.6
>>> REAL
Real Player
(wnaspi32.dll)
<= 1.1.5 build 12.0.0.879
>>> RIM / BLACKBERRY
Blackberry Desktop Manager
(mapi32x.dll)
<= 6.0.0 (fixed in 6.0.0.43)
>>> ROXIO
Roxio Photosuite
(homeutils9.dll)
9
Roxio MyDVD (dmsd,dmsm)
(homeutils9.dll)
9
Roxio Creator DE
(homeutils9.dll)
<= 9.0.116
Roxi Central (c2d,cue,gi,iso,roxio)
(homeutils10.dll, dlaapi_w.dll, sonichttpclient10.dll, tfswapi.dll)
3.6
>>> SEAMONKEY
SeaMonkey (html, xml, txt, jpg)
(dwmapi.dll)
<= 2.0.6 (fixed in 2.0.7)
>>> SI SOFTWARE
SiSoft Sandra
(dwmapi.dll)
>>> SMPLAYER
SMPlayer
(wintab32.dll)
0.6.9
>>> STEAM
Steam Games
(steamgamesupport.dll)
>>> SOMUD
SoMud P2P (torrent)
(wintab32.dll)
<= 1.2.8
>>> SONY
Sound Forge Pro
(mtxparhvegaspreview.dll)
10.0
>>> SORAX
Sorax PDF Reader (pdf)
(dwmapi.dll)
<= 2.0
>>> SKYPE
Skype
(wab32.dll)
<= 4.2.0.169
>>> SWEETSCAPE
010 Editor (lsc,bt,hex,s19,s28,s37)
(wintab32.dll)
3.1.2
>>> TEAMMATE
Teammate audit mgmt software suite
(mfc71enu.dll)
v8
>>> TEAMVIEWER
Teamviewer (tvc, tvs)
(dwmapi.dll)
<= 5.0.8703
(patched in 5.1.9072)
>>> TECHSMITH
TechSmith Snagit (.snag)
(dwmapi.dll)
<= 10 build 788
TechSmith Snagit accessories (results) latest
TechSmith Snagit profiles (snagprof) latest
>>> TORTOISE
Tortoise SVN (all registered filetypes)
(dwmapi.dll)
v1.6.10 (b19898)
>>> TRACKER SOFTWARE
PDFXChange Viewer (pdf)
(wintab32.dll)
<= 2.0 (b54.0)
>>> ULTRA
Ultra VNC Viewer (vnc)
(vnclang.dll)
<= 1.0.6.4
>>> uTORRENT
uTorrent
(userenv.dll, shfolder.dll, dnsapi.dll, dwmapi.dll, iphlpapi.dll,
dhcpcsvc.dll, dhcpcsvc6.dll, rpcrtremote.dll)
.torrent (plugin_dll.dll)
<= 2.0.3 / <= 2.0.3
(fixed in 2.0.4 (b21431))
>>> VIDEOLAN
VLC media player (mp3)
(wintab32.dll)
<= 1.1.3
(fixed in 1.1.4)
>>> VIRTUAL DJ
Virtual DJ (mp3)
(hdjapi.dll)
6.1.2
>>> WINMERGE
WinMerge
(mfc71*.dll)
2.12.4
>>> WIRESHARK
Wireshark (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…)
(airpcap.dll, tcapi.dll)
<= 1.2.10
(patched in 1.4)
dumpcap (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…)
(airpcap.dll, tcapi.dll)
<= 1.2.10
(patched in 1.4)

Want to contribute ?

If you want to contribute, send the application name, version,† and file extension to peter.ve[at] corelan.be

Thanks to the people who have contributed so far : EdiStrosar, 0xjudd, xanda, Dinosn, saintanthony, PieterDanhieux, Lofi, Mark Crowther, h4ck3r#47,_coreDump, ikki, diwr, LiquidWorm, Nikhil Mittal, Chris Anderson, FInverse, Chris John Riley, nullthreat, Aung Khant, SafetyFirstXL125, spot, Classity, Jacky Jack, guelfoweb, Kervala, m1k3, Glafkos Charalambous, extraexploit, Nagareshwar Talekar, Anastasios Monachos, Antisecurity, Oliver Wege

Other info

http://support.microsoft.com/kb/2389418

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://support.microsoft.com/kb/2264107


††Copyright secured by Digiprove†© 2010 Peter Van Eeckhoutte

© 2010, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

8 Responses to DLL Hijacking (KB 2269637) – the unofficial list

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories