Opened 2 years ago

Closed 2 years ago

#11269 closed Bug report (rejected)

DLL Injection Attack

Reported by: mahendradhodi Owned by: Me
Priority: high Component: FileZilla Client
Keywords: DLL Injection Cc:
Component version: 3.25.2 Operating system type: Windows
Operating system version: Windows 10

Description

Description:Found DLL injection in the FileZilla Client Version 3.25.2, successfully injected dllinject.dll into the filezilla process address space.
On successful execution of the attack, temp file is created into E drive as I have written the same logic in the dllinject.dll.

Impact: On successful execution of DLL injection attack, an attacker can create windows user or other malicious activity as I have performed the text file creation.

Remediation: You can prevent this attack by hooking LoadLibrary. In your hook you check against a list of DLL names that you know are part of the process and that may be loaded, or you can check against a list of known DLLs you don't want to load.
When you find a DLL you don't want to load SetLastError(ERROR_ACCESS_DENIED) then return NULL.
That will stop the DLL from loading.

Change History (3)

comment:1 Changed 2 years ago by Tim Kosse

Status: newmoreinfo

Please provide complete and detailed instructions how to reproduce this.

comment:2 Changed 2 years ago by mahendradhodi

Status: moreinfonew

Please find below steps to reproduce the attack.

STEP 1 : Get the FileZilla Client Process ID using program written in C++.
STEP 2 : Get the full path of the inject.dll to CreateRemoteThread program.
STEP 3 : Allocate some memory in the process for the loading of our inject.dll
STEP 4 : Write the name of the inject.dll to our new allocated space.
STEP 5 : Execute the code using CreateRemoteThread which allows loading of inject.dll file using LoadLibraryA function into the FileZilla Client process.

comment:3 Changed 2 years ago by Tim Kosse

Resolution: rejected
Status: newclosed

CreateRemoteThread

There's your problem. As long as this function exists, one cannot protect against a hostile process from injecting arbitrary stuff.

Imagine I were to hook LoadLibrary. The first thing the injected thread would do is to unhook LoadLibrary before calling it.

Please contact Microsoft to have this function removed from Windows.

Note: See TracTickets for help on using tickets.