Tampa Tech Wire - News and Technology From Around The Bay                  

New DLL Search Order Hijacking Technique Targets WinSxS Folder

Facebook
Twitter
LinkedIn
Pinterest
Pocket
WhatsApp
Attackers can abuse a new DLL search order hijacking technique to execute code in applications within the WinSxS folder.

A newly identified DLL search order hijacking technique has been reported by Security Joes, a leading incident response company. This technique allows adversaries to infiltrate and execute malicious code within Windows’ WinSxS folder, potentially deceiving security tools and analysts.

DLL search order hijacking typically exploits applications that do not specify the full path of a required library or file but rely on a predefined search order. Attackers strategically place a malicious DLL in a folder prioritized in the search order, often within the application’s working directory, ensuring it loads before the legitimate library the application needs. In some cases, attackers may drop a legitimate but vulnerable application to abuse for DLL loading.

By manipulating this loading process, threat actors can inject and execute unauthorized code within the memory space of a trusted process. Security Joes emphasizes the impact of this technique on evading security measures.

“Manipulating this loading process allows threat actors to inject and execute unauthorized code within the memory space of a trusted process, effectively deceiving security tools and analysts,” Security Joes explains.

According to Security Joes, attackers can specifically target files in the WinSxS folder to enhance the stealthiness of their attacks. This approach eliminates the need for dropping additional binaries or obtaining high privileges to execute code within applications located in a Windows folder.

The WinSxS (Windows Side by Side) folder serves as a centralized repository for system files, including DLLs, ensuring application compatibility and system integrity. Security Joes explains the role of this directory during the installation of Windows components, updates, or software applications.

In its research, Security Joes identified a vulnerable binary within the WinSxS folder and exploited Windows’ behavior when searching for system files. This ensured that a crafted DLL placed in a custom folder on the desktop was loaded by the binary using DLL search order hijacking.

Security Joes also developed an executable designed to execute all other binaries in the WinSxS folder and monitor their operations. This executable identifies vulnerable files residing in the WinSxS folder. Some binaries in the WinSxS folder were found to be searching for DLLs in the custom desktop folder, suggesting that they would load the crafted library if renamed to match the expected DLL file.

Security Joes highlights the simplicity and effectiveness of this implementation, requiring only a command line and a DLL for injection. By relying on vulnerable executables in WinSxS, this technique streamlines the infection chain associated with DLL search order hijacking, eliminating the need for dropping a vulnerable application. Additionally, the technique is applicable to both Windows 10 and 11 systems, expanding its potential impact.

Facebook
Twitter
LinkedIn
Pinterest
Pocket
WhatsApp
Your subscription could not be saved. Please try again.
Thanks for subscribing!

Newsletter

Never miss any important news. Subscribe to our newsletter.

Leave a Reply

Your subscription could not be saved. Please try again.
Thanks for subscribing!

Newsletter

Never miss any important news. Subscribe to our newsletter.

Latest Jobs

Recent News

Popular

Blog Subscriber Form