Wednesday, August 25, 2010

DLL Hijacking - my test cases on a default HP notebook installation - CyberLink products vulnerable

CyberLink products appears like vulnerable. The Cyberlink tools (such as powet2go) exist in the default installation of the HP 64bit notebook (with  Microsoft Windows 7).

















. I have check and test the proof of concept generated by dllhijacking. The products are:

- CyberLink PowerDirector v7
- CyberLink Power2Go DVD v6.0

The issue is trigger with the iso,pdl,pds,p2g and p2i file formats, and DLL request by the applications is the mfc71loc.dll or mfc(nationality)71.dll. The exploiting doesn't require the copy of fake dll in app folder (like many others issue released nowadays) but simply putting on current directory where "data" file are loaded. So for example USB flash drive, compressed archive and so on. IMHO, the problem is not related to big vendor or for well known tools and applications (Adobe Reader, Office and so on), instead is very critical in all circumstances where users they don't know what they have on their notebook. I mean the big number of notebooks across the world full of not so known software that maybe exploited in this manner.

From the CyberLink web site (http://www.cyberlink.com/stat/volume-license/enu/index.jsp):

"CyberLink, a maker of the world-acclaimed DVD player software PowerDVD, also designs multimedia solutions for well-known brands such as DELL, HP, ACER, Medion, Packard Bell, and Dixons, to name a few. PowerDVD can help organizations achieve their business goals with powerful, yet easy-to-use video solutions, and now comes with a Volume License Program to better serve corporate, academic, government, and non-profit customers. Millions of licenses have already been granted to major organizations every year—all of them recognizable household names" .


The following screen shot shown the exploits generated by dllhikacking script:

2 comments:

  1. Bentaly Microstation 7.1,Nero 8.2.8.0,Quicktime pictureviwer 7.6.5 vulnerable to DLL hijact attack.

    ReplyDelete