Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.
安全研究人员详细介绍了一种新变种的动态链接库(DLL)搜索顺序劫持技术,威胁行为者可以利用该技术绕过安全机制,在运行Microsoft Windows 10和Windows 11的系统上执行恶意代码。
The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News.
该方法"利用了常见于受信任的WinSxS文件夹中的可执行文件,并通过经典的DLL搜索顺序劫持技术利用它们,"网络安全公司Security Joes在一份与The Hacker News独家分享的新报告中表示。
In doing so, it allows adversaries to eliminate the need for elevated privileges when attempting to run nefarious code on a compromised machine as well as introduce potentially vulnerable binaries into the attack chain, as observed in the past.
通过这样做,它允许对手在尝试在受损机器上运行恶意代码时消除提升的特权要求,并在攻击链中引入潜在易受攻击的二进制文件,正如过去的观察所述。
DLL search order hijacking, as the name implies, involves gaming the search order used to load DLLs in order to execute malicious payloads for purposes of defense evasion, persistence, and privilege escalation.
DLL搜索顺序劫持,顾名思义,涉及到操纵用于加载DLL的搜索顺序,以执行恶意负载,用于防御逃避、持久性和特权升级。
Specifically, attacks exploiting the technique single out applications that do not specify the full path to the libraries they require, and instead, rely on a predefined search order to locate the necessary DLLs on disk.
具体来说,利用该技术的攻击单独针对不指定所需库的完整路径的应用程序,而是依赖于预定义的搜索顺序在磁盘上找到必要的DLL。
Threat actors take advantage of this behavior by moving legitimate system binaries into non-standard directories that include malicious DLLs that are named after legitimate ones so that the library containing the attack code is picked up in place of the latter.
威胁行为者利用这种行为,将合法的系统二进制文件移动到包含恶意DLL的非标准目录中,并以合法名称命名,以便库包含攻击代码而不是后者。
This, in turn, works because the process calling the DLL will search in the directory it's executing from first before recursively iterating through other locations in a particular order to locate and load the resource in question. To put it in other words, the search order is as follows -
这反过来有效,因为调用DLL的进程首先会在其执行的目录中进行搜索,然后按特定顺序递归迭代其他位置,以找到并加载所需的资源。换句话说,搜索顺序如下 -
-
The directory from which the application is launched
启动应用程序的目录
-
The folder "C:WindowsSystem32"
文件夹"C:WindowsSystem32"
-
The folder "C:WindowsSystem"
文件夹"C:WindowsSystem"
-
The folder "C:Windows"
文件夹"C:Windows"
-
The current working directory
当前工作目录
-
Directories listed in the system's PATH environment variable
系统PATH环境变量中列出的目录
-
Directories listed in the user's PATH environment variable
用户PATH环境变量中列出的目录
The novel twist devised by Security Joes targets files located in the trusted "C:WindowsWinSxS" folder. Short for Windows side-by-side, WinSxS is a critical Windows component that's used for the customization and updating of the operating system to ensure compatibility and integrity.
Security Joes设计的新颖技巧针对位于受信任的"C:WindowsWinSxS"文件夹中的文件。WinSxS是Windows side-by-side的缩写,是一个用于定制和更新操作系统以确保兼容性和完整性的关键Windows组件。
"This approach represents a novel application in cybersecurity: traditionally, attackers have largely relied on well-known techniques like DLL search order hijacking, a method that manipulates how Windows applications load external libraries and executables," Ido Naor, co-founder and CEO of Security Joes, said in a statement shared with The Hacker News.
"这种方法在网络安全中是一种新颖的应用:传统上,攻击者主要依赖于诸如DLL搜索顺序劫持之类的众所周知的技术,这种方法操纵Windows应用程序加载外部库和可执行文件的方式,"Security Joes的联合创始人兼首席执行官Ido Naor在与The Hacker News分享的一份声明中表示。
"Our discovery diverges from this path, unveiling a more subtle and stealthy method of exploitation."
"我们的发现偏离了这条路线,揭示了一种更为微妙和隐秘的利用方法。"
The idea, in a nutshell, is to find vulnerable binaries in the WinSxS folder (e.g., ngentask.exe and aspnet_wp.exe) and combine it with the regular DLL search order hijacking methods by strategically placing a custom DLL with the same name as the legitimate DLL into an actor-controlled directory to achieve code execution.
简而言之,想法是在WinSxS文件夹中找到易受攻击的二进制文件(例如,ngentask.exe和aspnet_wp.exe),并将其与常规的DLL搜索顺序劫持方法相结合,通过将具有与合法DLL相同名称的自定义DLL放置在由行动者控制的目录中,实现代码执行。
As a result, simply executing a vulnerable file in the WinSxS folder by setting the custom folder containing the rogue DLL as the current directory is enough to trigger the execution of the DLL's contents without having to copy the executable from the WinSxS folder to it.
因此,仅仅通过将包含恶意DLL的自定义文件夹设置为当前目录,就足以触发执行DLL内容,而无需将可执行文件从WinSxS文件夹复制到该文件夹。
Security Joes warned that there could be additional binaries in the WinSxS folder that are susceptible to this kind of DLL search order hijacking, necessitating that organizations take adequate precautions to mitigate the exploitation method within their environments.
Security Joes警告说,WinSxS文件夹中可能有其他易受此DLL搜索顺序劫持方法攻击的二进制文件,因此组织需要采取适当的预防措施来减轻其环境中的利用方法。
"Examine parent-child relationships between processes, with a specific focus on trusted binaries," the company said. "Monitor closely all the activities performed by the binaries residing in the WinSxS folder, focusing on both network communications and file operations."
"仔细检查进程之间的父子关系,特别关注受信任的二进制文件,"该公司说。"密切监视WinSxS文件夹中的所有二进制文件执行的活动,重点关注网络通信和文件操作。"
原文始发于微信公众号(知机安全):突破性技术:新DLL搜索顺序劫持变种绕过Win10和11防护
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论