Rundll32.exe - To Permit or not?

Discussion in 'ProcessGuard' started by TopperID, Dec 20, 2004.

Thread Status:
Not open for further replies.
  1. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Is there any general agreement on what to do about Rundll32.exe - should it be set to 'Permit Always' or on a case by case basis?

    If I set it to 'Permit Once' I have two pop-ups from PG on every boot-up, so I am wondering if the risk of allowing it to run is great enough to justify the (admittedly minor) inconvenience.

    Perhaps it would be simpler just to allow Rundll32.exe carte blanche and then, if one is concerned about the nature of sites being visited, change the setting to 'Once' for the duration of that surfing session.

    Any thoughts on this? o_O
     
  2. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    i had the process rundll32.exe being run on my system an it was opening video popups advertising music...came with this really annoying bumblebee noise and the bee flying about the window...every time i opened 'ie' nothing would identify it (ad aware or spybot) i had to look for it in processes window....then one day it disapeared....thank god...it was driving me mental!!!!

    no idea what i did tho...sorry!!

    Griogair
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I have it set to permit once as it usually only gives me one pop up.

    As you say it may be wise to switch it to permit once if you visit many unknown sites or do P2P etc.

    Cheers. Pilli :)
     
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i tried setting rundl32.exe to "permit once", but rundll32.exe is called to run pretty frequently on my pc, so i set it back to "permit always"..

    i just have the default settings in pg's protection for rundll32.exe, with no additional priviledges, but sometimes rundl32.exe may need addtitional priviledges (install services and access memory) or else you could get some alerts from pg, or some bsod's.. however, i am electing to not give rundll32.exe any additional priviledges other that the defaults..
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    With me rundll32.exe likes to install Global Hooks, I am allowing it to do so in case it causes problems if I refuse.

    I also get fairly frequent pop-ups from PG if I set rundll32.exe to 'Permit Once'; on balance I think it is better to have it at 'Permit Always' and then simply downgrade it to 'Once' whilst surfing in uncharted or potentially dangerous waters. That would involve less work on the whole.

    I'm still not clear though what the likely risk of rundll32.exe is; if you are preventing DLL injection what is the threat? Can a website execute maliceous code on your machine using rundll32.exe if you merely click on something?
     
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    The problem is that rundll32 is not just a program, its a mechanism for starting many programs....

    It needs more consideration and special treatment so that the "real" program being run is dealt with rather than the rundll32 invoking stub

    Seeing as the current version of PG is deficient in this way, I have done what Jason has and set it to permit once and I look at the parameters that rundll is being invoked with

    Its fairly obvious that the process of "looking at the parameters" is potentially prone to error and should be taken care of in a more repeatable and automated way.... lets see if DCS reach the same conclusion and produce an enhancement to match

    I get rundll32 prompts all the time, from things like inserting a removable harddisk, running control panel applets and a few other places where I wasn't expecting it to be invoked

    I think that VX2 makes use of rundll32, but it has to have started running before it can do so, a prompt "might" give cause for thought (assuming you read the command line every time)
     
  7. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  8. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hi kareldjag, I looked at the link, but I don't know why you think that "permit always" for rundll32 isn't a dangerous combination of trusted application and scriptable malware.
     
  9. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Kareldjag,
    To understand why rundll32 is a generic mechanism for running code in DLL's (that are designed to be called in this way) have a read of Microsoft KB 164787

    You can find it at http://support.microsoft.com/?kbid=164787

    Have a good christmas :D
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes, but PG is set to block Registry DLL injection, so am I to take it that 'non-Registry' DLL (whatever that might be!) or, alternatively, legitimate DLL can be used in a threatening way against you merely by clicking on a web page. And if so, how?

    If alien DLL can be used against you, is it really fair to say PG blocks DLL injection - or is it that certain types of DLL use are blocked while others are not.

    Phew, this is taxing my limited neuronal capacity! o_O :rolleyes: o_O
     
    Last edited: Dec 23, 2004
  11. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    TopperID,
    You said earlier that you allow rundll32 to install global hooks...
    Rundll32 can run arbitrary code from a "nasty" dll that has been hidden in some software that you are installing
    This means that you can have the situation where a non-trusted application has the means to set a global hook (because you allowed it)

    The simple solution to the problem is :
    - don't allow rundll32 to "execute always"
    - don't give rundll32 any special privileges by default
    - live with having to read a few prompts every now and again

    I'm sure you have read the fairly common response questioning "why" you are installing program X in the first place. From a pragmatic point of view you would have to be unlucky to get a trojan lurking in something that you download from a major distribution site (as long as it has been there for at least a week or two)
     
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Right, so the nasty DLL is able to run and make use of the 'Hooks' feature - but,apparently, this applies only when I am installing software (the very time I am at my most cautious). What about surfing, does it have any effect then?

    But this all begs the question - in what sense can PG be said to block DLL injection if Rundll can be used to run alien DLL in this way? Does it just mean that other processes are prevented from utilizing nasty DLL but not Rundll? If the latter is the case then I think it should be made patently clear in PG's instructions so that we all understand it.

    At the moment, and taking account of what was said above, it still seems more trouble free and acceptable to have Rundll set to 'Permit' and only downgrade it when carrying out a 'hazardous' procedure.
     
    Last edited: Dec 23, 2004
  13. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    It comes down to the meaning of the word injection, PG blocks an already executing process from having code "injected" into it

    We are discussing unintended/unwanted side effects as a result of running a program (in this case an installation program) that can make use of a users choices to bypass some of the protection offered by PG (ie: a smoking gun pointing at your foot :eek: )

    Its something to be aware of... I wouldn't lose sleep over it, just change the settings so it isn't an issue

    When you are surfing if PG prompted you to run a program that you didn't initiate yourself, I'm guessing that you would probably choose to deny it and that would stop it without having to worry about this
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Setting it to 'permit once' isn't going to do much good if you don't know what any of the command line arguments mean and always hit 'allow' anyway. In which case you might as well set it to always permit and restrict the allow options as much as possible. Setting it to 'permit once' means you have to pay attention and make an effort to acquaint yourself with program/system DLLs, but it can be worth it. If not, PG still stands as a strong layer of security.

    Hopefully DCS can give this process some special attention at some point, but programs like PG ultimately put the intelligence mechanism at the keyboard, rather than trying to make all the decisions for you.. that's why I like programs like PG.
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You bet!!! :) :D ;)
     
  16. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    HELLO

    There's many vulnerabilities about RunDLL32.exe reported by Secunia, Bugtraq or Securiteam(buffer overflow, many kinds of code injection...).

    Some leaktest or virus use it (Sircam or Mota).



    I've tested myself my firewall with the "Rundll FWB Metod".

    Abtrusion Protector for example records Rundll files and consider them as safe and trusted files.

    The "problem" with firewall apllications like PG, SSM or Viguard is that's to the user to decide what it should be blocked or permited.

    If i run an application on a command line, i permit once.
    If the rundll executable run "itself" i'll surely block it once!

    I don't want to spend my time by wondering what i have to block or permit.

    Thre's also some methods and utilities who could help PG users to take a decision:

    *Monitoring in real time the integrity of Rundll applications,
    *monitoring all API request loaded by process and dlls...
    At next.

    Nice ChrisTmas!
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    The same logic applies to whatever we do in life I'm afraid :)
    When is it really safe to cross the road?
    Is this site safe to visit?
    etc. ectc. etc....

    Risk assessment is a serious business in which we are all involved with in our daily lives - Virtual & real world.

    ProcessGuard and most other security applications cannot and should not make the final decision for you, it is all part of being a free and thinking human being.

    The seasons greetings and peace to you. :)
     
  18. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pilli,
    Thats a bit harsh mate, the problem here is one of presentation and having to make the same decision over and over again

    It really is a no-brainer in my opinion, simply that something was left out and should be added in

    It shouldn't be a major technical issue to treat each rundll invocation (with its command line parameters) as a separate program invocation from a permission to execute and elevated privileges point of view.

    The question then becomes do you go beyond the basics of just treating each invocation differently and checksumming the dll being called in addition to rundll32 ... that would probably require a much bigger change to the way that the program works seeing as it is probably hardcoded to have one checksummed binary per entry

    Merry Xmas

    NB: Jason sorry if I'm making incorrect assumptions about your programming, just taking a best guess considering how I would have coded something like this and assuming that you are following good programming practices :)
     
    Last edited: Dec 24, 2004
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, Maybe I was a bit harsh :) and I am sure that Jason will try & address these problems for future editions, at least for unwanted or unecessary repitition.

    Cheers. Pilli
     
  20. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hello,

    The more we give "carte blanche" to trused applications ("allow"), the easier is to execute a malicious code in thoses applications.

    It's not only RunDLL32 who's be able to be corrupted, but all Windows!

    Shatter attacks for example is one of the best methods used by hackers to bypass any control access in Windows(API calls vulnerabilities).

    It's difficult to elaborate a method for cheking the integrity of any source of Windows' message.

    And we can't spend our time by wondering if an application is loaded by a malicious code or by Windows kernell.

    We find PG so great that we want to see it more powerfull.
    More powerfull, yes; perfect, surely not(is perfection really exist?).

    The developper's work is like a Sisyphe work:each time the work is to remake again and again.
    That's one of the key for approaching the perfection...

    AU Revoir ;)
     
  21. Dieter Bressem

    Dieter Bressem Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    36
    Location:
    Germany
    Never allow !

    Hi all,

    after 3 days online I did a reboot and TDS shows me that the Autostart has been changed. I started CODESTUFF STARTER and saw that there was a new entry belonging to "NewDotNet Startup" using RUNDLL32 to download and install its code.
    I checked PG and saw that I enabled RUNDLL32 to allow driver /services.
    All are right, saying that RUNDLL32 is able to download everything (I still don't know where the installation comes from)
    Now I can highly recommend to set RUNDLL32 to permit once.

    Regards
    Dieter
     
  22. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Dieter,
    I am sure that Jason will be giving this his considered thought when he's back again....

    I'm not sure if you noticed by Andreas1 has incorporated tips on rundll into his informational webpage as a way of using PG to get better security

    There have been rundll threats in the wild for a while now, its not exactly that complicated to make a dll so that it can be called by rundll and then it can be embedded into a hacked installer

    At least with PG protecting your programs, your firewall and AV won't have been terminated (assuming you set them up with secure message handling)

    It sounds like you could benefit from a registry monitor, do a search on this site for "registry monitor" there are several threads that beat the issue to death.. try them all and see which one you prefer
    At least that way you will find out about the additional startup entry *prior* to the reboot
     
  23. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    just a funny one...

    here is just a "funny" example of what rundll32.exe did try to do in there, a few days ago : " rundll32.exe shell32.dll,shcreatelocalserverrundll { ... } " :eek:

    CREATELOCALSERVER !!! :eek: . Effectively, I saw a lot of open ports in Port Explorer, during a few seconds, but hopefully, it didn't work ! :rolleyes:

    Just to say that I think rundll32.exe should be allowed once, as most of you did say here ;) ...

    Cheers
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Given the heavy use of RunDLL by Windows it would seem that having the option of "Permit with these parameters" in the Execution Protection prompt would be a possible fix. Then RunDLL could be allowed automatically with "known good" situations (like opening a Control Panel icon) while still triggering a prompt when used for other things.
     
  25. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I definately agree with Paranoid and others on the customization parameters option.

    I don't give rundll32.exe any extra rights beyond read, I have to allow it to do other things like install drivers on occasion, but only with the inital set up of some ATI drivers, I always take it's rights away when done, it asks when opening some ATI display property panels but I notice no side effects of blocking the requests after the inital setup.

    I had set it permit once, but it quickly became very annoying and set it back. It seems a ton of things use rundll32.dll. But after reading some of this I set it back to permit once.

    BUT......It's getting on my nerves again so I know I'll set it back to permit always soon.

    I 'd like to customise and allow some things like the control panel, desktop display properties, system options etc but ask on all others.
     
Thread Status:
Not open for further replies.