Windows: restricting the DLL search path, and a case in point

Discussion in 'other security issues & news' started by mechBgon, Mar 2, 2013.

Thread Status:
Not open for further replies.
  1. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    First off, the real-world case, in which a harmless digitally-signed file from nVidia is used to foist a malicious .DLL by abusing the DLL search order: http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/

    As a defense-in-depth measure, consider changing the DLL search rules on Windows to a more restrictive method. If you have software that can't handle this change, you can make exceptions on a case-by-case basis.

    To make these changes, you'll need to be comfortable editing the Registry. Before you start, it would be advisible to

    1) back up your data, bookmarks, contacts and settings. The Windows Easy Transfer tool is one way to get most of that, assuming it's in conventional locations.

    2) create a System Restore point

    3) know how to boot your version of Windows in Safe Mode, and how to use System Restore in a worst-case scenario. I haven't had any serious problems, but it seems prudent.


    Now run Regedit.exe as an Administrator and go to
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\.

    http://www.mechbgon.com/build/cwdillegal_1.PNG
    (above) Right-click on Session Manager and create a new DWORD named CWDIllegalInDllSearch.

    http://www.mechbgon.com/build/cwdillegal_2.PNG

    Double-click on your new DWORD and change the value to FFFFFFFF (eight Fs), then click OK. You'll see it as 0xffffffff when done.

    So far, so good. Reboot and make sure no immediate show-stopping problems occur with your startup programs. Now run your software programs and note whether they have problems getting launched, to begin with.

    If you find a program that's not tolerant of your new blanket DLL-search policy, you can make an exception for that particular .EXE by going to
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. Right-click on Image File Execution Options and create a new key with the exact name of the .EXE file that's giving you trouble, then create a DWORD within that key named CWDIllegalInDllSearch and change the value to 0 (for the least restrictive option) or 2 to restrict WebDAV and UNC paths but nothing else (probably safe).

    http://www.mechbgon.com/build/cwdillegal_3.PNG

    In the bigger picture, my first line of defense against this would be Software Restriction Policy + LUA, which would block the .EXE and its bogus .DLL if they were launched in the context of a non-Admin, whether it's by the user, or by an exploit that gets the user's level of privilege. But defense in depth never hurt anything :)
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I suppose not, but in this case of loading an unauthorized executable, if one has enough confidence in the first line of defense, the Registry-editing thing seems like a lot of trouble -- to this user, anyway!

    Nice solution, though.

    regards,

    -rich
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    This user as well :) Still, thanks for the idea, mechBgon!

    BTW, I used your Step 6 SRP tip from your site in the HIPS component of Jetico firewall to govern the user-writable locations within the protected directories of XP :thumb:
     
  4. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    Glad to hear that info was useful :) The NSA gets full credit for the info in Step 6, their guide (PDF) is the source for that auditing technique.
     
  5. anniew

    anniew Registered Member

    Joined:
    Mar 15, 2013
    Posts:
    92
    Does anyone have a link(s) to an Applocker equivalent of the excellent 8-step SRP related instructions MechBgon has published?

    I have Win 7 Ultimate and am a relative noob, so would like to make sure I wouldn't make any mistakes in translation to Applocker. I have family members that I need to configure a fairly restrictive/resiliant system for.

    Thanks.

    EDIT:

    Found this...

    https://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7

    Hopefully that covers the same ground.
     
    Last edited: May 3, 2013
  6. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    Has anyone done this and had trouble with NVIDIA drivers installing? I just had a problem where I could not install the new driver. Of course I first assumed there was an issue with the new driver itself, but I tried 3 different versions and nothing would work. Finally I remembered I had done this, so I deleted the registry key and the driver installed fine.

    It's not a difficult workaround (now that I know), but I was wondering if anyone else had this problem.
     
Loading...
Thread Status:
Not open for further replies.