BugTraq
Re: OLE DB Provider for Oracle multiple DLL side loading vulnerabilities Feb 11 2016 04:05PM
Securify B.V. (lists securify nl)

On 11-02-16 14:14, Stefan Kanthak wrote:
> "Securify B.V." <lists (at) securify (dot) nl [email concealed]> wrote:
>> Microsoft released MS16-014 that fixes this vulnerability.
> Such vulnerabilities can be exploited without Office or OLE
> (see "Example 7" of <http://seclists.org/fulldisclosure/2013/Jun/123>):
>
> [snip]
>
> Instead of a VBScript you can of course use JScript too:
> new ActiveXObject("MSDAORA")
> Both the VBScript and JScript can be wrapped into a *.WSF instead
> of a *.VBS or *.JS.
>
> A *.HTA or *.HTM (to be opened with Internet Explorer) which contains
> the following snippet can also be used:
>
> <OBJECT CLASSID="CLSID:E8CC4CBE-FDFF-11D0-B865-00A0C9081C1D">
> </OBJECT>

Hi Stefan,

Thank you for your insight and you are absolutely right. If I can force
*any* application in loading the affected object, that application may
be subject to DLL hijacking. Office is just an attack vector here.

The point is that a DOCX is somewhat trusted (if we ignore the whole
macro thing). If I can trick someone to open a malicious VBS/JS/HTA it
is basically game over.

In case of a DOCX I can put it on a network share. If a victim opens the
DOCX from this share, Word will use the share as the current working
directory. Thus I can put the hijacked DLL in the same share. It is even
possible to hide the DLL using file attributes or if the attacker
controls the share (Webdav, Samba) remove the DLL from the directory
listing.

With regards to Internet Explorer, the current working directory is most
of the times the user's Desktop, which makes it harder to exploit. You
need something like the Safari Carpet Bomb or have the user save the DLL
for you.

Best,

Yorick

>> On 16-12-15 19:27, Securify B.V. wrote:
>>> ------------------------------------------------------------------------

>>> OLE DB Provider for Oracle multiple DLL side loading vulnerabilities
>>> ------------------------------------------------------------------------

>>> Yorick Koster, August 2015
>>>
>>> ------------------------------------------------------------------------

>>> Abstract
>>> ------------------------------------------------------------------------

>>> Multiple DLL side loading vulnerabilities were found in the OLE DB
>>> Provider for Oracle. These issues can be exploited by loading various
>>> OLE components as an embedded OLE object. When instantiating the object
>>> Windows will try to load the DLLs oci.dll, and ociw32.dll from the
>>> current working directory. If an attacker convinces the user to open a
>>> specially crafted (Office) document from a directory also containing the
>>> attacker's DLL file, it is possible to execute arbitrary code with the
>>> privileges of the target user. This can potentially result in the
>>> attacker taking complete control of the affected system.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus