Opening *.txt file is dangerous on Windows (opens in new tab)

(technet.microsoft.com)

372 pointsgaika14y ago46 comments

46 comments

32 comments · 15 top-level

jnorthrop14y ago· 11 in thread

Anyone know how this works? How would a plain .txt file load a dll? In any case this looks like it would be difficult to execute since the text file has to be in the same directory as the dll.

shabble14y ago

A bit of digging around suggests it's a DLL preloading attack which somehow convinces the target apps to load the local directory instance of the dll, rather than the system version.

http://www.crn.com/news/security/226900204/microsoft-warns-u...

has a bit of detail, but not specifically about this attack.

I guess it's conceptually similar to doing something like

    export PATH=.:$PATH; cat foo.txt

where 'cat' is an executable file in the current dir.

The actual linux equivalent would probably involve $LD_LIBRARY_PATH ($DYLD_LIBRARY_PATH on OSX, not sure about other unices).

dguido14y ago

This is called DLL Hijacking and it's a class of flaws that gained prominence on Windows earlier this year. Although I would say that Mandiant discussed the issue first, it was only after HDM practically described the WebDAV and other remote exploit vectors that people started taking it seriously.

https://community.rapid7.com/community/infosec/blog/2010/08/...

http://blogs.msdn.com/b/david_leblanc/archive/2008/02/20/dll...

http://www.n00bz.net/blog/2010/9/15/dll-hijacking-with-metas...

nollidge14y ago

I wonder if Notepad, Wordpad, and maybe Word all call some library (or all have copy/pasted code) that, for whatever reason, looks for a particular DLL in the working folder and executes it?

Not sure how the network drive part would fit into that hypothesis, though.

dfranke14y ago

Windows suffers some famous dain bramage wrt to DLL loading paths: http://unhandledexpression.com/2010/08/23/fixing-the-dll-loa... Basically, even when "safe" DLL loading is turned on, the search path still includes the current directory. I'm guessing that Notepad and friends all look for some (legacy?) DLL that isn't always installed, so if an attacker puts a malicious DLL by its same name in the same path as the file being opened, it'll be loaded and executed. The part about network drives is probably just an assumption about trust boundaries: Microsoft assumes that attacker can't ordinarily put a malicious file in the same local folder that you're opening a text file in, but on a network drive anything goes.

This is all just speculation. I don't code for Windows, and I don't know anything more about this vulnerability than what's stated in the advisory.

baddox14y ago

The article doesn't mention it, but does anyone know if a requirement to reproduce the vulnerability is that the files be opened in Notepad, Wordpad, or Word? What if you used a third-party editor?

2 more replies

sp33214y ago

It's a malicious dll, not a malicious txt. It could be any txt file, as long as the dll is in the right place. So it must be something to do with the search path the program uses to look for dlls.

pavel_lishin14y ago

Doesn't sound too difficult if you're sending someone an archive with both files in it.

sp33214y ago

This only works on remote file systems, so you just have to send someone a link to a text file. There would be no indication that a DLL even exists on the target FS.

1 more reply

bricestacey14y ago

> this looks like it would be difficult to execute since the text file has to be in the same directory as the dll. Seems like a great way to compromise your boss' computer since so many businesses use Windows and networked file systems.

dfranke14y ago

Unless you have an exceptionally paranoid workplace, a much easier way to compromise your boss's computer is just to walk over to it and pop in a livecd after he's gone home for the day.

1 more reply

smackfu14y ago

Yeah, it has to be "an untrusted remote file system location."

peterwwillis14y ago· 3 in thread

The report says this vulnerability is specific to remote network shares and WebDAV. All you have to do is send someone a link to a .txt file on a WebDAV site with a .dll in the same directory, I guess, and they'll be owned... That is pretty awesome.

(As was commented on below, this is identical to an LD_LIBRARY_PATH type exploit on Linux; here is Microsoft's fix as well as an explanation of how it works http://support.microsoft.com/kb/2264107)

Edit: I realize now literally any URL could be a WebDAV site with a text/plain mime type and an exploit DLL in the same dir. So really, every single URL you hit with IE is potentially vulnerable. Have a nice day.

forcefsck14y ago

Except that LD_LIBRARY_PATH is not a type of exploit and shouldn't be mentioned as such.

amalcon14y ago

It would be identical to an exploit wherein some distro, for some reason, included . in the default LD_LIBRARY_PATH. Fortunately, I know of none that do this.

1 more reply

Kliment14y ago

Not in itself, but if you can manage to change it for someone without their awareness you have basically tricked them into running arbitrary (local) code.

2 more replies

jmvoodoo14y ago· 3 in thread

So basically send someone a zip file with a DLL + readme.txt. Most people would avoid the DLL but not think twice about opening the readme. Sounds nasty.

chalst14y ago

It depends upon the DLLs that the default application uses to show the .txt file to the user: the application has to try to install a DLL that is not in the usual places (i.e., system & windows directories and the application directories). So there is likely to be some speculative DLL lookup going on for apparently well-behaving code to be vulnerable to this.

From the description of the vulnerability, it sounds as if the culprit is some code mounting documents over the network, and so just opening a readme.txt in the local directory will not trigger this.

martey14y ago

From the "Mitigating Factors" section of CVE-2011-1991:

"For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application."

Since a ZIP file would extract to a local directory, nothing would happen.

SomeCallMeTim14y ago

If you extracted the TXT+DLL locally, then you'd be vulnerable, because the problem is that the TXT file is the current directory, and something (WordPad and Notepad, maybe, or Explorer itself) is searching for a DLL that doesn't exist elsewhere on the system, and one of the places searched is the current directory.

All the stuff about WebDav being necessary for a successful attack is because they're assuming someone can't drop a DLL onto your system. But if you unzip a package with a README.txt in the same folder as a DLL you would be vulnerable.

wslh14y ago

It remember me of an old stack overflow that I posted just running the command cat: http://seclists.org/bugtraq/1999/Sep/432

Groxx14y ago

I wonder if this was in use (for legitimate uses) by anyone prior to its omg-security-breach discovery, and if their use still works. Quite a few Windows applications look in their folder first for DLLs - checking the loaded-file path could conceivably make the same kind of sense. Or just not accounting for current-directory changes when launching with a file (not entirely sure what the behavior is there).

OWaz14y ago

The description of the vulnerability reminds me a lot about how Stuxnet exploited weaknesses with shortcuts unknowingly loading a malicious dll.

brs14y ago

This reminds me of hacking ANSI.SYS escape sequences back in the day. You could create a text file which would be "executed" when someone entered "type readme.txt" at the DOS prompt, by using keyboard remappings and so on.

I remember creating a fairly unsuccessful "text file virus" that would try to copy itself around our school network and reboot people's machines. Good times...

donpark14y ago

I think this vulnerability is related to WebDAV and SMB, not the DLL/path issue mentioned.

Florin_Andrei14y ago

I wonder if this is still an issue when using a 3rd party editor, such as EditPad, etc.

j_baker14y ago

Has this been fixed since this was posted? Either way, the title is inaccurate now. This is only dangerous if you haven't installed the update.

ecyrb14y ago

details here:

http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-...

recoiledsnake14y ago

It is not dangerous if you install the update. Why is the headline hyping it as if it's an unpatched zero day?

1 more reply

lolabloladd3214y ago

MISLEADING TITLE!

bsnyder14y ago

Isn't everything about Windows considered dangerous anymore? Has there ever been such problem-stricken piece of software?

diegogomes14y ago

Clicking "start" is even more dangerous. Once you start, can you stop?

1 more reply

j / k navigate · click thread line to collapse

46 comments

32 comments · 15 top-level

jnorthrop14y ago· 11 in thread

Anyone know how this works? How would a plain .txt file load a dll? In any case this looks like it would be difficult to execute since the text file has to be in the same directory as the dll.

shabble14y ago

A bit of digging around suggests it's a DLL preloading attack which somehow convinces the target apps to load the local directory instance of the dll, rather than the system version.

http://www.crn.com/news/security/226900204/microsoft-warns-u...

has a bit of detail, but not specifically about this attack.

I guess it's conceptually similar to doing something like

    export PATH=.:$PATH; cat foo.txt

where 'cat' is an executable file in the current dir.

The actual linux equivalent would probably involve $LD_LIBRARY_PATH ($DYLD_LIBRARY_PATH on OSX, not sure about other unices).

dguido14y ago

https://community.rapid7.com/community/infosec/blog/2010/08/...

http://blogs.msdn.com/b/david_leblanc/archive/2008/02/20/dll...

http://www.n00bz.net/blog/2010/9/15/dll-hijacking-with-metas...

nollidge14y ago

I wonder if Notepad, Wordpad, and maybe Word all call some library (or all have copy/pasted code) that, for whatever reason, looks for a particular DLL in the working folder and executes it?

Not sure how the network drive part would fit into that hypothesis, though.

dfranke14y ago

This is all just speculation. I don't code for Windows, and I don't know anything more about this vulnerability than what's stated in the advisory.

baddox14y ago

The article doesn't mention it, but does anyone know if a requirement to reproduce the vulnerability is that the files be opened in Notepad, Wordpad, or Word? What if you used a third-party editor?

2 more replies

sp33214y ago

It's a malicious dll, not a malicious txt. It could be any txt file, as long as the dll is in the right place. So it must be something to do with the search path the program uses to look for dlls.

pavel_lishin14y ago

Doesn't sound too difficult if you're sending someone an archive with both files in it.

sp33214y ago

This only works on remote file systems, so you just have to send someone a link to a text file. There would be no indication that a DLL even exists on the target FS.

1 more reply

bricestacey14y ago

dfranke14y ago

Unless you have an exceptionally paranoid workplace, a much easier way to compromise your boss's computer is just to walk over to it and pop in a livecd after he's gone home for the day.

1 more reply

smackfu14y ago

Yeah, it has to be "an untrusted remote file system location."

peterwwillis14y ago· 3 in thread

(As was commented on below, this is identical to an LD_LIBRARY_PATH type exploit on Linux; here is Microsoft's fix as well as an explanation of how it works http://support.microsoft.com/kb/2264107)

forcefsck14y ago

Except that LD_LIBRARY_PATH is not a type of exploit and shouldn't be mentioned as such.

amalcon14y ago

It would be identical to an exploit wherein some distro, for some reason, included . in the default LD_LIBRARY_PATH. Fortunately, I know of none that do this.

1 more reply

Kliment14y ago

Not in itself, but if you can manage to change it for someone without their awareness you have basically tricked them into running arbitrary (local) code.

2 more replies

jmvoodoo14y ago· 3 in thread

So basically send someone a zip file with a DLL + readme.txt. Most people would avoid the DLL but not think twice about opening the readme. Sounds nasty.

chalst14y ago

From the description of the vulnerability, it sounds as if the culprit is some code mounting documents over the network, and so just opening a readme.txt in the local directory will not trigger this.

martey14y ago

From the "Mitigating Factors" section of CVE-2011-1991:

"For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application."

Since a ZIP file would extract to a local directory, nothing would happen.

SomeCallMeTim14y ago

wslh14y ago

It remember me of an old stack overflow that I posted just running the command cat: http://seclists.org/bugtraq/1999/Sep/432

Groxx14y ago

OWaz14y ago

The description of the vulnerability reminds me a lot about how Stuxnet exploited weaknesses with shortcuts unknowingly loading a malicious dll.

brs14y ago

I remember creating a fairly unsuccessful "text file virus" that would try to copy itself around our school network and reboot people's machines. Good times...

donpark14y ago

I think this vulnerability is related to WebDAV and SMB, not the DLL/path issue mentioned.

Florin_Andrei14y ago

I wonder if this is still an issue when using a 3rd party editor, such as EditPad, etc.

j_baker14y ago

Has this been fixed since this was posted? Either way, the title is inaccurate now. This is only dangerous if you haven't installed the update.

ecyrb14y ago

details here:

http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-...

recoiledsnake14y ago

It is not dangerous if you install the update. Why is the headline hyping it as if it's an unpatched zero day?

1 more reply

lolabloladd3214y ago

MISLEADING TITLE!

bsnyder14y ago

Isn't everything about Windows considered dangerous anymore? Has there ever been such problem-stricken piece of software?

diegogomes14y ago

Clicking "start" is even more dangerous. Once you start, can you stop?

1 more reply

j / k navigate · click thread line to collapse