Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

DLL Hijacking should be P2 or P3

See original GitHub issue

DLL Hijacking (also called DLL Side Loading and DLL search order hijacking) is currently classified under executable planting at a P4 or P5. As the title says, the I suggest this vulnerability be rated at a P2 or P3, because the originally assessed requirements were too narrowly scoped and the in the wild exploitation is akin to stealing an entities code-signing certificate.

This vulnerability was first proposed to the VRT in #16 and added in #28 . @jhaddix proposed this be rated at the current level based on access needed to conduct the attack. The attack scenario that I suspect this was based on is:

  1. attacker adds malicious DLL to same folder as target exe.
  2. user executes program (running the malware)

While this scenario is used in some cases, the usage in the wild is often different. As noted by:

We still occasionally come across this misconception that in a binary planting attack, the user has to willfully download a DLL or EXE and place it in some particular location on his computer, from where it will subsequently be launched. If this were true, binary planting would certainly be a ridiculous concept.

Actually though, in a typical binary planting attack the user doesn't have to download anything to his computer. He **opens a file from a remote (attacker-controlled) shared folder and the vulnerable application on his computer automatically, silently executes a DLL or EXE from that same remote folder**. 

In submissions of mine related to DLL Hijacking, I’ve pointed out the following posts to highlight the above quote from AcrossSecurity and illustrate in the wild exploitation:

This vulnerability is also classified by others as: HIGH - HIGH - (For Skype) 10 -

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:19 (5 by maintainers)

github_iconTop GitHub Comments

ryancblackcommented, Dec 29, 2017

Great discussion here from you both and very much appreciated. Our team is spinning back up during the holidays and end of year. Please expect further commentary and engagement by mid next week.

silascutlercommented, Jan 30, 2018

So, I’m going to close this because I think we have stalemated on this issue.

@subrosaassociates has nailed the need to reassess the weight of thick vs. web client vulns several times because we are comparing apples and potatoes here. There are different requirements to exploit a web vs. client vulnerabilities and different levels of risk to those capable of exploitation.

I want to caution the line of thinking:

That being said if the attacker convinces the victim to download and execute a malware package, that is game over

When looking at binary exploitation, there are vulnerabilities that go beyond delivery that allow attackers to persist or exploit additional areas.

The reason I have pushed on DLL side-loading is that it is an attack that can be exploited without the knowledge of the vendor. In the PlugX cases, unless it is reported, an attacker can abuse the trust in a company’s code-signing certificate for as long as the certificate is valid. (So, even if you patch the in next version, if the code signing cert is still valid, I can continue to exploit this until the certificate expires. )

Read more comments on GitHub >

github_iconTop Results From Across the Web

Windows DLL Hijacking (Hopefully) Clarified - itm4n's blog
If any of the %PATH% directories is writable, then a malicious version of the DLL could be planted and would be loaded by...
Read more >
DSA-2022-183: Dell GeoDrive Security Update for Multiple ...
Dell GeoDrive versions before 2.2 contain Multiple DLL Hijacking Vulnerabilities. A low privilege attacker may potentially exploit this ...
Read more >
Dll Hijacking - HackTricks
2. DLL search order hijacking: DLLs specified by an application without a path are searched for in fixed locations in a specific order...
Read more >
DLL Hijacking - Penetration Testing Lab
In this example the process Bginfo.exe is missing several DLL files which possibly can be used for privilege escalation. Step 2 – Folder ......
Read more >
What is DLL Hijacking? The Dangerous Windows Exploit
A single DLL file could run multiple programs, so multiple programs could potentially be comprised in a DLL hijacking attack.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found