TheWindowsClub News

TheWindowsClub Tech News covers the latest Microsoft Windows 10 news, along with other products & services like Office, etc.

Windows 10 vulnerable to relative path DLL Hijacking, bypassing User Account Control (UAC)

Almost 300 executable files in the System32 folder of the Windows 10 operating system are vulnerable to DLL Hijacking, claims a security researcher Wietze Beukema. According to Beukema, a simple VBScript can make these executables vulnerable to DLL Hijacking, entirely bypassing User Account Control (UAC).

Windows 10 Relative Path DLL Hijacking

System32 folder vulnerable to DLL Hijacking

First, let’s try to understand what is DLL. In the context of Windows 10 in particular, DLL stands for Dynamic Link Libraries. They are the external components of the operating system. The Dynamic Link Libraries store codes for other applications. DLL files are loaded into RAM only when required. As a result, they serve as extensions to different applications, thus saving memory.

In DLL Hijacking, attacker invokes third-party code by replacing an authentic code library with a tampered one or dropping a malicious payload on the search path. This way, attacker circumvents User Account Control in an attempt to drop a malicious payload onto a victim’s computer.

In this case, attackers could resort to relative path DLL Hijacking. This method involves copying the legitimate application to a user-writeable folder alongside the malicious DLL.

As Beukema illustrates, the biggest difficulty is to discover a vulnerable executable that can be exploited under default user permissions. The relative path is the weakest variant of DLL Hijacking.

The malware embedded the legitimate software and dropped it to disk has to be the result of copying the legitimate executable from Windows 10’s System32 folder. But it only works with vulnerable or unpatched executables.

“To prevent new versions of this technique to be successful, it is worthwhile identifying executables that are vulnerable to this kind of DLL hijacking.”

During his research, Beukema found 616 executables in Windows 10 v1909 vulnerable to relative path DLL Hijacking:

“Some applications come with a GUI, or some other visual element that gives away the binary was executed. This also includes error messages: required DLLs might be missing, and the hijacked DLL obviously lacks the original functionality. Attackers are less likely to target such applications for DLL hijacking purposes.”

How to prevent DLL Hijacking?

A simple method would be using absolute paths instead of relative ones. But since this is not possible for all applications, the better option is to verify all DLLs before loading them.

Earlier this month, cybersecurity researchers discovered a DLL Hijacking method employed by the Metamorfo malware campaign that primarily targets financial firms. Attackers were caught using reliable software components to compromise the computers, courtesy of DLL Hijacking.

Published on Tags:

AnandKhanse@TWC

Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP (2016-2022). He enjoys following and reporting Microsoft news and developments in the world of Personal Computing.

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap