Opened 8 years ago
Closed 8 years ago
#11269 closed Bug report (rejected)
DLL Injection Attack
Reported by: | mahendradhodi | Owned by: | Me |
---|---|---|---|
Priority: | high | Component: | FileZilla Client |
Keywords: | DLL Injection | Cc: | |
Component version: | 3.25.2 | Operating system type: | Windows |
Operating system version: | Windows 10 |
Description
Description:Found DLL injection in the FileZilla Client Version 3.25.2, successfully injected dllinject.dll into the filezilla process address space.
On successful execution of the attack, temp file is created into E drive as I have written the same logic in the dllinject.dll.
Impact: On successful execution of DLL injection attack, an attacker can create windows user or other malicious activity as I have performed the text file creation.
Remediation: You can prevent this attack by hooking LoadLibrary. In your hook you check against a list of DLL names that you know are part of the process and that may be loaded, or you can check against a list of known DLLs you don't want to load.
When you find a DLL you don't want to load SetLastError(ERROR_ACCESS_DENIED) then return NULL.
That will stop the DLL from loading.
Change History (3)
comment:1 by , 8 years ago
Status: | new → moreinfo |
---|
comment:2 by , 8 years ago
Status: | moreinfo → new |
---|
Please find below steps to reproduce the attack.
STEP 1 : Get the FileZilla Client Process ID using program written in C++.
STEP 2 : Get the full path of the inject.dll to CreateRemoteThread program.
STEP 3 : Allocate some memory in the process for the loading of our inject.dll
STEP 4 : Write the name of the inject.dll to our new allocated space.
STEP 5 : Execute the code using CreateRemoteThread which allows loading of inject.dll file using LoadLibraryA function into the FileZilla Client process.
comment:3 by , 8 years ago
Resolution: | → rejected |
---|---|
Status: | new → closed |
CreateRemoteThread
There's your problem. As long as this function exists, one cannot protect against a hostile process from injecting arbitrary stuff.
Imagine I were to hook LoadLibrary. The first thing the injected thread would do is to unhook LoadLibrary before calling it.
Please contact Microsoft to have this function removed from Windows.
Please provide complete and detailed instructions how to reproduce this.