Nearly 300 Windows 10 executables vulnerable to DLL hijacking

guest · Jun 27, 2020

Nearly 300 Windows 10 executables vulnerable to DLL hijacking
June 27, 2020
https://www.bleepingcomputer.com/ne...s-10-executables-vulnerable-to-dll-hijacking/

A simple VBScript may be enough to allow users to gain administrative privileges and bypass UAC entirely on Windows 10.

In a new report from a PwC UK security researcher Wietze Beukema, we learn that almost 300 Windows 10 executables are vulnerable to DLL hijacking.

“It turns out nearly 300 executables in your System32 folder are vulnerable to relative path DLL Hijacking. Did you know that with a simple VBScript some of these EXEs can be used to elevate such executions, bypassing UAC entirely?” explained Beukema.
The various techniques of DLL hijacking covered by the Beukema's blog post include DLL replacement, DLL Proxying, DLL search order hijacking, Phantom DLL hijacking, DLL redirection, WinSxS DLL replacement, and relative path DLL Hijacking.
Click to expand...

He added, “these are not mere theoretical targets, these are tested and confirmed to be working. The list comprises 287 executables and 263 unique DLLs.”
A CSV with a complete list of these libraries has been provided via GitHub.

Note, the attack explained here may not work with all Windows builds, as highlighted in a Twitter thread.
Click to expand...

Hijacking DLLs in Windows

DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
Click to expand...

Minimalist · Jun 27, 2020

I was looking for more info about UAC bypass and found my answer in last sentence:

UAC mode to ‘Always notify’, one level higher than the default, will prevent this and other similar UAC bypass techniques from succeeding.
Click to expand...

Rasheed187 · Jun 27, 2020

Minimalist said: ↑

I was looking for more info about UAC bypass and found my answer in last sentence:
Click to expand...

To be honest, I have always wondered if this "DLL Hijacking" thing is a big issue or not, I wonder what malware uses this technique. I believe Online Armor was one of the few HIPS that monitored this stuff.

Log in or Sign up

Nearly 300 Windows 10 executables vulnerable to DLL hijacking

guest Guest

Minimalist Registered Member

Rasheed187 Registered Member

Log in or Sign up

Nearly 300 Windows 10 executables vulnerable to DLL hijacking

guest Guest

Minimalist Registered Member

Rasheed187 Registered Member

Useful Searches