Didier Stevens

Thursday 26 August 2010

Quickpost: Ariad & DLL Preloading

Filed under: My Software,Quickpost,Vulnerabilities — Didier Stevens @ 12:11

I’m writing this quickpost just in case you hadn’t figured this out for yourself: the techniques I described to protect machines from the .LNK vulnerability also help you mitigate the DLL preloading issue.

The .LNK vulnerability mitigation examples I gave with Ariad (no file execute) and SRP prevent loading of DLLs from untrusted locations (USB sticks, network drives, …). These will also prevent DLLs from loading from untrusted sources in the case of DLL Preloading exploits.

Quickpost info


  1. this protects against the dropped DLL’s against but not aainst the DLL’s that are malicious but that are already integrated into the software ‘or the update’. Also this starts from the opinion that dll’s have to be dropped from half external sources, but what with the millions of PC that are already under control of botnets. The problem is that one has to be able to identify (md5 ?) all different parts of the software as being genuine.

    I also think there are some smarter ways to include malicious dll’s in programs but I think that it is not so easy to do this a very smart way although with social engineering and ‘actwriting’ (writing your attack scenario as if it was a film) one should be able to set up an attack that could compromise even very important infrastructures – although it will depend on the individual rights and functions of the specific vulnerable because malplaced DLL. I am thinking about the vulnerable Putty, Cisco network tools and probably some security software or banking and identification software.

    We all presume that these are very secure but they seem not to be programmed according to the rules.


    Comment by len — Thursday 26 August 2010 @ 19:35

  2. Wow, does SRP really apply to network shares and WebDAV too? I always thought it only applied to local drives (internal, external and removable). So if I open an SMB or WebDAV share and try to execute something from there, an SRP like described in https://blog.didierstevens.com/2010/07/20/mitigating-lnk-exploitation-with-srp/ will reliably prevent it? Thx

    Comment by Getafix — Friday 27 August 2010 @ 2:12

  3. @Getafix I know it does for SMB shares (either by mapping a drive letter to a network share or by using UNC), but I doubt it does for WebDAV. I’ll need to test.

    Comment by Didier Stevens — Friday 27 August 2010 @ 11:23

  4. I had no idea SRP was *that* powerful! I will test how SRP does with SMB shares when I get to work, it would be really cool if someone who has WebDAV around to test for that. Thx for this quickpost, Didier, it’s been very useful =)

    Comment by Getafix — Friday 27 August 2010 @ 11:33

  5. nice tool.. and SRP is working fine as well. but portable app (from USB) will be block as well.. same goes to the application (with DLL) installed in different directory (beside C:\)

    Comment by xanda — Friday 27 August 2010 @ 19:02

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.