DLL Injection Attack

[mahendradhodi]

Description:Found DLL injection in the FileZilla Client Version 3.25.2, successfully injected dllinject.dll into the filezilla process address space.
On successful execution of the attack, temp file is created into E drive as I have written the same logic in the dllinject.dll.

Impact: On successful execution of DLL injection attack, an attacker can create windows user or other malicious activity as I have performed the text file creation.

Remediation: You can prevent this attack by hooking LoadLibrary. In your hook you check against a list of DLL names that you know are part of the process and that may be loaded, or you can check against a list of known DLLs you don't want to load.
When you find a DLL you don't want to load SetLastError(ERROR_ACCESS_DENIED) then return NULL.
That will stop the DLL from loading.

[Tim Kosse]

Please provide complete and detailed instructions how to reproduce this.

[mahendradhodi]

Please find below steps to reproduce the attack.

STEP 1 : Get the FileZilla Client Process ID using program written in C++.
STEP 2 : Get the full path of the inject.dll to CreateRemoteThread program.
STEP 3 : Allocate some memory in the process for the loading of our inject.dll
STEP 4 : Write the name of the inject.dll to our new allocated space.
STEP 5 : Execute the code using CreateRemoteThread which allows loading of inject.dll file using LoadLibraryA function into the FileZilla Client process.

[Tim Kosse]

CreateRemoteThread

There's your problem. As long as this function exists, one cannot protect against a hostile process from injecting arbitrary stuff.

Imagine I were to hook LoadLibrary. The first thing the injected thread would do is to unhook LoadLibrary before calling it.

Please contact Microsoft to have this function removed from Windows.