Wednesday, August 25, 2010

DLL Hijacking - my test cases on a default HP notebook installation - CyberLink products vulnerable

CyberLink products appears like vulnerable. The Cyberlink tools (such as powet2go) exist in the default installation of the HP 64bit notebook (with  Microsoft Windows 7).

















. I have check and test the proof of concept generated by dllhijacking. The products are:

- CyberLink PowerDirector v7
- CyberLink Power2Go DVD v6.0

The issue is trigger with the iso,pdl,pds,p2g and p2i file formats, and DLL request by the applications is the mfc71loc.dll or mfc(nationality)71.dll. The exploiting doesn't require the copy of fake dll in app folder (like many others issue released nowadays) but simply putting on current directory where "data" file are loaded. So for example USB flash drive, compressed archive and so on. IMHO, the problem is not related to big vendor or for well known tools and applications (Adobe Reader, Office and so on), instead is very critical in all circumstances where users they don't know what they have on their notebook. I mean the big number of notebooks across the world full of not so known software that maybe exploited in this manner.

From the CyberLink web site (http://www.cyberlink.com/stat/volume-license/enu/index.jsp):

"CyberLink, a maker of the world-acclaimed DVD player software PowerDVD, also designs multimedia solutions for well-known brands such as DELL, HP, ACER, Medion, Packard Bell, and Dixons, to name a few. PowerDVD can help organizations achieve their business goals with powerful, yet easy-to-use video solutions, and now comes with a Volume License Program to better serve corporate, academic, government, and non-profit customers. Millions of licenses have already been granted to major organizations every year—all of them recognizable household names" .


The following screen shot shown the exploits generated by dllhikacking script:

DLL Hijacking - my test cases

 One of my testcases list on a VM system.


Sorry, you may have found a bug.... (in Fiddler)

Playing with the HD Moore tools for dll hicjacking stuff  (Exploiting DLL Hijacking Flaws) , I found this interesting result on once of my VM:



 I don't know if I have time to spent for a deep investigation about this possible Fiddler bug... but in some cases the side effects are your best friends.