[VIM] DLL hell: 2010

security curmudgeon jericho at attrition.org
Fri Aug 27 13:39:36 CDT 2010 

: Anybody giving thought to what they will do if / when every single vuln 
: that's affected by DLL hijacking / library loading is actually reported? 
: Maybe it's worse for CVE because we have a "CVE-10K" problem (i.e. what 
: to do if we hit CVE-yyyy-9999) but at some point one has to wonder about 
: the usability of VDBs if they're completely swamped by this issue.

We are adding them as normal, and abstracting per application 99% of the 
time since there are two big factors that change with each; the affected 
library(ies) and the types of file a user can open to trigger it.

: It's got to be on the order of hundreds if not thousands of potentially 
: vulnerable apps.  Apparently exploit-db has given up doing individual 
: records for them.

I was telling Carsten last night that I expect a big wave of them, that 
we had only seen the tip of the iceberg. However, I am really surprised 
that F-D hasn't been flooded with them yet and suggests that maybe it 
won't be as big as we realize. Perhaps even those who favor low hanging 
fruit think it is too low? On the other hand, i'd throw down a few dollars 
betting that we will see at least one mega-report listing hundreds of 
vulnerable applications. I imagine it wouldn't take much to develop a 
program that systematically checks all programs on a computer and produces 
a report of DLLs that are subject to the issue.

Carsten also brought up the point of false positives in the reports and 
how they are growing. Last night, noticed one on Exploit-DB that they 
confirmed as valid but 'step 2' speaks volumes: 
http://exploit-db.com/exploits/14793/. We also had a discussion about 
another (PuTTY) and if it was valid. I posited that if I could write a DLL 
into the same directory as putty.exe, why not just replace the .exe. He 
tested and confirmed that on XP, a user could not overwrite another user's 
file, but could write into the directory it was installed in. That makes 
the PuTTY posting valid (exploit-db 14796).

Also ran into another where the vendor was told "your product is 
vulnerable to this". The vendor realized that an older version of the 
product was (technically), the current product was not, and that the old 
version was only vulnerable because it used QT which is vulnerable.

I believe that we will keep seeing these, but perhaps not as fast as I 
thought. I'd imagine we're also going to see several more of these false 
reports, and they may be more prone to being missed because every VDB is 
under extra strain keeping up with the flood.

More information about the VIM mailing list