DLL Hijacking (KB 2269637) – the unofficial list | Corelan Cybersecurity ResearchCorelan Cybersecurity Research

DLL Hijacking (KB 2269637) – the unofficial list

Published August 25, 2010 |

This page hosts an unofficial list of applications that are said to be vulnerable to the dll hijacking flaw (or feature or whatever you want to call it). Note that I did not test these applications myself.

If you have found other applications to be vulnerable and want to add them to the list, send me a mail.

Please note that I will not list instances where you have to replace a dll in the application folders. I do not consider those examples to be valid cases of dll hijacking. (after all, if you have to replace a dll, you might as well replace the executable itself)

You can use the list below to build a GPO / custom adm file /.reg file, and alter the default dll loading behaviour for those applications, as explained here : http://support.microsoft.com/kb/2264107. I highly recommend looking at that page & implement the workaround (in conjunction with other suggested workarounds, such as disabling Webclient service, blocking outbound smb traffic, blocking propfind method on proxy servers, etc)

In addition to this, if you installed the workaround suggested by Microsoft, you can now use the Microsoft FixIt Tool to further refine settings. You must have installed the CWDIllegalInDllSearch utility prior to using FixIt.

How to audit ?

If you want to test your own applications, have a look at this and this post on the metasploit blog. Make sure to grab the latest version of the audit package here or use svn update on your metasploit installation (and then copy the zip file from the external/source folder to the windows system you want to audit)

b0telh0 made a small video, demonstrating the use of the audit kit, and how it can lead to an exploit : http://www.vimeo.com/14442659

Alternatively, you can use DllHijackAuditor. It was developed to overcome some of the limitations of the DllHijackAuditkit. More info about this tool can be found here. I highly recommend running this tool on your systems as well.

Potentially vulnerable applications :

Application	Version
>>> ADOBE
Adobe Captivate (cp, cpt, cprr, cptl, fcz, rd, rdt) (winpens.dll)	3
Adobe Dreamweaver (mfc90loc.dll, mfc90ptb.dll(lang-dependent))	CS4 (<= 10.0 build 4117) CS5 (<= 11.0 build 4909)
Adobe ExtendedScript Toolkit (dwmapi.dll)	CS5 v3.5.0.52
Adobe Extension Manager (mxi,mxp) (dwmapi.dll)	CS5 v5.0.298
Adobe Photoshop (wintab32.dll)	CS2
Adobe Fireworks	CS3, CS4 and CS5
Adobe Device Central (qtcf.dll)	CS5
Adobe Illustrator (ait, eps) (aires.dll)	CS4 v14.0.0
Adobe On Location (olproj) (ibfs32.dll)	CS4 build 315
Adobe Indesign (indl, indp, indt, inx) (ibfs32.dll)	CS4 v6.0
Adobe Premier (pproj, prfpset, prexport, prm, prmp, prpreset, prproj, prsl, prtl, vpr) (ibfs32.dll)	Pro CS4 314
Adobe Audition (audition.exe) (cdl, cel, dbl, dwd, pcm, sam, ses, smp, svx, vox) (assist.dll, ff_theora.dll, quserex.dll, skl_drv_mpg.dll)	3.0.7283.0 (Win7 x64)
>>> ALLADIN
Aladdin eToken PKI Client (etc, etcp) (wintab32.dll)	5.0.0.65
>>> AlTools
AlZip (all associated archive file formats) (mfc90.dll, propsys.dll)*	<= 8.0.6.3
AlSee (ani, bmp, cal, hdp, jpe, mac, pbm, pcx, pgm, png, psd, ras, tga, tiff) (patchani.dll)	<= 6.20.0.1
>>> APPLE
Safari (dwmapi.dll)	<= 5.0.1
Quicktime Player (mac, pic, pntg, qtif) (cfnetwork.dll, corefoundation.dll)	<= 7.64.17.13
>>> ARCHICAD
ArchiCAD (srcsrv.dll)	13.0
>>> AVAST
Avast! (license file .avastlic) (mfc90loc.dll)	<= 5.0.594
>>> AVISCREEN
Aviscreen Pro (just a lnk file to the app will do) (iccvid.dll, ir32_32.dll, yuv_32.dll, msrle32.dll, msvidc32.dll, msyuv.dll, tsbyuv.dll, iacenc.dll, tsbyuv.dll)	3.1
>>> BITMANAGEMENT
BS Contact VRML/X3D (bskey, bswrl, bxwrl, j2k, jp2, vrml, wrl, wrz, x3dvz, x3dv, x3dz, x3d) (d3dref9.dll, siappdll.dll)	<= 7.218
>>> BRAVA
Brava PDF Reader (csf, pdf, sid, tiff, tif, xdl, xps) (dwmapi.dll)	<= 3.3.0.18
>>> BREAKPOINT
HexWorkshop (pe932d.dll, pe936d.dll, pegrc32d.dll)	6.0.1.460.3
>>> BS.Player
BS.player (mp3) (mfc71loc.dll, ehtrace.dll)	<= 2.56
>>> CAMTASIA
Camtasia Studio (cmmp,cmmtpl,camproj,camrec) (dwmapi.dll)	<= 6 build 689
Camtasia Studio (mfc90.dll)*	7
>>> CDISPLAY
CDisplay (cba, cbr, cbt, cbz) (trace32.dll)	1.8.10
>>> CELFRAME
CelFrame Office Write (doc) (java_msci.dll, msci_java.dll)	Office Suite 2008
CelFrame Office Spreadsheet (xls) (java_msci.dll, msci_java.dll)	Office Suite 2008
CelFrame Office Publisher (sla) (wintab32.dll)	Office Suite 2008
CelFrame Office Draw (odg) ((java_msci.dll, msci_java.dll)	Office Suite 2008
CelFrame Office Photo Album (plx) (wintab32.dll)	Office Suite 2008
>>> CISCO
Cisco Packet Tracer (pkt, pkz) (wintab32.dll)	5.2
>>> CITRIX
Citrix ICA Client (ica) (pncachen.dll, wfapi.dll)	<= v9.0.32649.0
>>> COREL
Corel Draw (cmx,csl) (crlrib.dll)	<= X3 v13.0.0.576
Corel PhotoPaint (cpt) (crlrib.dll)	<= X3 v13.0.0.576
>>> CYBERLINK
PowerDirector (iso, pdl, p2g, p2i) (mfc71.dll)*	7
Power2Go DVD (iso, pdl, p2g, p2i) (mfc71.dll)*	6
>>> DAEMON TOOLS
DAEMON Tools Lite (mdf, mds, mdx) (mfc80loc.dll)	4.35.6.0091
>>> DVDFAB
DVDFab Platinum (dvdfab5, dvdfabplatinum5, dvdfabgold5, dvdfabmobile) (quserex.dll)	5.2.3.2
*DVDFab (dvdfab6, dvdfab2, dbdfabfilemover)* (dwmapi.dll,mfc90.dll,nvcuda.dll,quserex.dll)*	7.0.4.0
>>> E-PRESS
E-Press ONE Office Author (psw) (java_mcsi.dll, mcsi_java.dll)
E-Press ONE Office E-NoteTaker (txt) (mfc71.dll)*
E-Press ONE Office E-Zip (rar, tar) (mfc71.dll)*
>>> GDOC
gDoc Fusion (dwfx, jtx, pdf, xps) (wintab32.dll, ssleay32.dll)	<= 2.5.1
>>> GUIDANCE
Encase (endump) (rsaenh.dll)	<= 6.17.0.90
>>> ETTERCAP	<= NG 0.7.3
Ettercap (wpcap.dll)
>>> EZBSYSTEMS
Ultra ISO (daemon.dll)	Premium 9.36
>>> FORENSIC TOOLKIT
Forensic Toolkit (ftk)	<= v1.8.1.6
>>> FOTOBOOK
Fotobook Editor (dtp) (fwpuclnt.dll)	5.0 v2.8.0.1
>>> GFI
GFI Backup (gbc,gbt) (armaccess.dll)	2009 Home Edition
>>> GILLES VOLLANT
WinImage (bzw, dsk, img, imz, iso, vfd, wil, wlz) (wnaspi32.dll)	8.0.0.8000 (win7 x64)
>>> GOOGLE
Google Chrome (chrome.dll)	latest
Google Earth (kmz) (quserex.dll)	<= v5.1.3535.3218
>>> HTTRACK
WinHTTrack Website Copier (whtt) (mfc71enu.dll, mfc71loc.dll)	3.43-7
>>> IBM
Lotus Notes client (ndl,ns2,ns3,nsf,nsg,nsh,ntf) (kernel32.dll)	5.0.12
IBM Rational License Key Administrator (upd) (ibfs32.dll)	< 7.0.0.0 (fixed in 7.0.0.0)
Lotus Symphony Office Suite (odm, odt, otp, stc, stw, sxg, sxw) (eclipse_1114.dll)	<= 3 beta 4
>>> IDM COMPUTER SOLUTIONS
UltraEdit (bin, cpp, css, c, dat, hpp, html, h, ini, java, log, mak, php, prj, txt, xml) (dwmapi.dll)	<= 16.10.0.1036
>>> INKSCAPE
Inkscape (svgz) (quserex.dll)	<= 0.48.0 r9654
>>> INTERVIDEO
Intervideo WinDVD (cpqdvd.dll)	5
>>> INTUIT
Quickbooks (des,qbo,qpg) (dbicudtx11.dll, mfc90enu.dll, mfc90loc.dll)	Pro 2010
>>> IZARC
IZArc (all archive formats) (ztv7z.dll)	<= 4.1.2
>>> JUNIPER / NCP
NCP Secure Client (pcf, spd, wge, wgx) (dvccsabase002.dll, conman.dll, kmpapi32.dll)	<= 9.23.017
NCP Secure Entry Client (pcf, spd, wge, wgx) (conman.dll, dvccsabase002.dll, kmpapi32.dll, ncpmon2.dll)	<= 9.23.017
>>> KEEPASS
KeePass Password Safe (kdb) (bcrypt.dll)	<= 1.15 (fixed in 1.18)
KeePass Password Safe (kdbx) (dwmapi.dll, bcrypt.dll)	<= 2.12 (fixed in 2.13)
>>> KINETI
Kineti Count (kcp) (dwmapi.dll)	1.0 beta
>>> KINGSOFT
Kingsoft Office Writer (doc, rtf) (plgpf.dll)	2010
Kingsoft Office Presentation (ppt) (lpgpf.dll)	2010
Kingsoft Office Spreadsheets (xls) (plgpf.dll)	2010
>>> MAXTHON
Maxthon Browser (htm, html, mhtml) (dwmapi.dll)	2.5.15.1000 Unicode
>>> MEDIAMONKEY
Mediamonkey (apl, fla, m4b, mmip, mp+, mpp) (dwmapi.dll)	3.2.0.1294
>>> MEDIA PLAYER
Mediaplayer Classic mpc (all formats) (iacenc.dll)	<= 1.3.2189.0
Media Player Classic (3gp, 3gp2, flv, m4b, m4p, m4v, mp4, spl) (ehtrace.dll, iacenc.dll)	<= v6.4.9.x
>>> MICROCHIP
mplab IDE (mcp,mcw) (mfc71.dll)*	8.43
>>> MICROSOFT
MS Powerpoint (odp,pot,potm,pptx,ppt,ppa,pps,ppsm,ppsx,pptm,pwz,sldm,sldx) (2003 : ophookse4.dll) (pptimpconv.dll, pp7x32.dll,rpawinet.dll) – verified on 32 & 64bit	2003 2007 2010
MS Word (docx) (rpawinet.dll)	2007
MS Virtual PC (vmc) (midimap.dll)	2007
Ms Visio (vtx – 2003, vss – 2010) (2003 – mfc71enu.dll, 2010 – dwmapi.dll)	2003 2010
MS Office Groove (wav, p7c) (mso.dll)	2007
MS Windows Mail (nws) (wab32res.dll)
MS Windows Live Email (eml,rss) (dwmapi.dll, peerdist.dll)	<= 14.0.8089.726
MS Movie Maker (flv, icon, mkv, mqv, mswmn, ogg, qt, wlmp) (hhctrl.ocx)	<= 2.6.4038.0
MS Vista Backup Manager (.wbcat) (fveapi.dll)
MS Internet Connection Signup Wizard (smmscrpt.dll)	latest
MS Internet Communication Settings (isp) (schannel.dll)	latest
MS Group Convertor (grp) (imm.dll)	latest
MS Clip Organizer (mpf) (twcgst.dll)	<= 11.8164.8324 (XP SP3)
MS Clip Book Viewer (mfaphook.dll)
MS Snapshot viewer (snp) (mfc71enu.dll, mfc71loc.dll)	11
Windows Program Group / grpconv.exe (grp) (imm.dll)	latest
MS Windows Address Book wab.exe/Contacts (wab, p7c, contact, group, vcf) (wab32res.dll)	XP, Vista silently patched on Win7
MS RDP Client (rdp) (dwmapi.dll – Win7, ieframe.dll – XPSP3)	v6.1.7600.16385 (Win7) v6.0.6001.18000 (XP SP3)
MS Visual Studio devenv.exe (cur, rs, rct, res) (NULL.dll)	2008
wscript (jse) / (js, vbs) (wshfra.dll) (traceapp.dll)	XP version
MS Windows Media Encoder (prx) (wmerrorenu.dll, winietenu.dll, asferrorenu.dll)	9.00.00.2980
MS ATL Trace Tool (atltracetool8.exe) (trc) (dwmapi.dll)	10.0.30319.1
MS DirectShow SDK Filter Graph Editor (grf) (ehtrace.dll, measure.dll)	10.0.0.0 (Win7 x64)
MS Help & Support Center (wshfra.dll)
MS Live Writer (wpost) (peerdist.dll)	<= 14.0.8089.726
>>> MOOVIDA
Moovida Media Player (f4v, flv, img, dv) (libc.dll, quserex.dll)	<= 2.0.0.15
>>> MOZILLA
Firefox (htm, html, jtx, mfp, shtml, xaml) (dwmapi.dll)	<= 3.6.8 (fixed in 3.6.9 and 3.5.12)
Mozilla Thunderbird (eml,html) (dwmapi.dll)	3.1.2 (fixed in 3.1.3)
>>> MUVEE
Muvee Reveal (rvl) (peerdist.dll)	7.0.43 build 11502
>>> NETSTUMBLER
NetStumbler (ns1) (mfc71enu.dll, mfc71loc.dll)	0.4.0
>>> NITRO
Nitro PDF Reader (pdf) (dwmapi.dll, nprender.dll)	fixed in 1.3
>>> NOKIA
Nokia Suite ContentCopier (wintab32.dll)
Nokia Suite Communication Centre (wintab32.dll)
>>> NOTEPAD++
Notepad++ (shtml, css, inc, inf, ini, log, scp, wtx, shtml) (scinlexer.dll)	5.7 (fixed in 5.8)
>>> NUANCE
Nuance PDF (pdf) (dwmapi.dll, exceptiondump.dll)	<= 6.0
>>> NULLSOFT
Winamp (669,aac,aiff,amf,au,avr,b4s,caf,cda) (wnaspi32.dll, dwmapi.dll)	5.581
Winamp (b4s, m3u8, m3u, pls) (wnaspi32.dl)	5.5.8.2985 (Win7 x64)
>>> NVIDIA
NVidia Driver (tvp) (nview.dll)	latest
>>> OMNIPEEK
Omnipeek Personal (pkt, wac) (mfc71loc.dll)	4.1
>>> OPERA
Opera (htm, html, mht, mhtml, xht, xhtm, xhtl) (dwmapi.dll)	<= 10.61
Opera widgets (wgt)
>>> ORACLE
Java Web Start (javaw.exe) (jnlp) (schannel.dll)	1.6 update 21
>>> PGP
PGP Desktop (pgp) (credssp.dll)	<= 9.8
PGP Desktop (p12,pem,pgp,prk,prvkr,pubkr,rnd,skr) (tsp.dll, tvttsp.dll)	<= 9.10 <= 10.0.0
>>> PIXIA
Pixia (pxa) (wintab32.dll)	3.1j
>>> PUTTY
putty (winmm.dll)	0.60
>>> QT WEB
QtWeb (htm, html, mhtml, xml) (wintab32.dll)	<= 3.3 b043
>>> QCCIS
Forensic CaseNotes (notes) (credssp.dll)	<= 1.3.2010.6
>>> REAL
Real Player (wnaspi32.dll)	<= 1.1.5 build 12.0.0.879
>>> RIM / BLACKBERRY
Blackberry Desktop Manager (mapi32x.dll)	<= 6.0.0 (fixed in 6.0.0.43)
>>> ROXIO
Roxio Photosuite (homeutils9.dll)	9
Roxio MyDVD (dmsd,dmsm) (homeutils9.dll)	9
Roxio Creator DE (homeutils9.dll)	<= 9.0.116
Roxi Central (c2d,cue,gi,iso,roxio) (homeutils10.dll, dlaapi_w.dll, sonichttpclient10.dll, tfswapi.dll)	3.6
>>> SEAMONKEY
SeaMonkey (html, xml, txt, jpg) (dwmapi.dll)	<= 2.0.6 (fixed in 2.0.7)
>>> SI SOFTWARE
SiSoft Sandra (dwmapi.dll)
>>> SMPLAYER
SMPlayer (wintab32.dll)	0.6.9
>>> STEAM
Steam Games (steamgamesupport.dll)
>>> SOMUD
SoMud P2P (torrent) (wintab32.dll)	<= 1.2.8
>>> SONY
Sound Forge Pro (mtxparhvegaspreview.dll)	10.0
>>> SORAX
Sorax PDF Reader (pdf) (dwmapi.dll)	<= 2.0
>>> SKYPE
Skype (wab32.dll)	<= 4.2.0.169
>>> SWEETSCAPE
010 Editor (lsc,bt,hex,s19,s28,s37) (wintab32.dll)	3.1.2
>>> TEAMMATE
Teammate audit mgmt software suite (mfc71enu.dll)	v8
>>> TEAMVIEWER
Teamviewer (tvc, tvs) (dwmapi.dll)	<= 5.0.8703 (patched in 5.1.9072)
>>> TECHSMITH
TechSmith Snagit (.snag) (dwmapi.dll)	<= 10 build 788
TechSmith Snagit accessories (results)	latest
TechSmith Snagit profiles (snagprof)	latest
>>> TORTOISE
Tortoise SVN (all registered filetypes) (dwmapi.dll)	v1.6.10 (b19898)
>>> TRACKER SOFTWARE
PDFXChange Viewer (pdf) (wintab32.dll)	<= 2.0 (b54.0)
>>> ULTRA
Ultra VNC Viewer (vnc) (vnclang.dll)	<= 1.0.6.4
>>> uTORRENT
uTorrent (userenv.dll, shfolder.dll, dnsapi.dll, dwmapi.dll, iphlpapi.dll, dhcpcsvc.dll, dhcpcsvc6.dll, rpcrtremote.dll) .torrent (plugin_dll.dll)	<= 2.0.3 / <= 2.0.3 (fixed in 2.0.4 (b21431))
>>> VIDEOLAN
VLC media player (mp3) (wintab32.dll)	<= 1.1.3 (fixed in 1.1.4)
>>> VIRTUAL DJ
Virtual DJ (mp3) (hdjapi.dll)	6.1.2
>>> WINMERGE
WinMerge (mfc71.dll)*	2.12.4
>>> WIRESHARK
Wireshark (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…) (airpcap.dll, tcapi.dll)	<= 1.2.10 (patched in 1.4)
dumpcap (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…) (airpcap.dll, tcapi.dll)	<= 1.2.10 (patched in 1.4)

Want to contribute ?

If you want to contribute, send the application name, version, and file extension to peter.ve[at] corelan.be

Thanks to the people who have contributed so far : EdiStrosar, 0xjudd, xanda, Dinosn, saintanthony, PieterDanhieux, Lofi, Mark Crowther, h4ck3r#47,_coreDump, ikki, diwr, LiquidWorm, Nikhil Mittal, Chris Anderson, FInverse, Chris John Riley, nullthreat, Aung Khant, SafetyFirstXL125, spot, Classity, Jacky Jack, guelfoweb, Kervala, m1k3, Glafkos Charalambous, extraexploit, Nagareshwar Talekar, Anastasios Monachos, Antisecurity, Oliver Wege

Other info

http://support.microsoft.com/kb/2389418

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://support.microsoft.com/kb/2264107

Posted in 001_Security, Exploits | Tagged 2269637, 3-0-csl-2264107, applications, camtasia-studio-res-dll, corel-draw-wow64-official-site, corelan-be, corelean-buffer-overflow, dll, dll hijack, dll hijacking, download-kb-2269637, hijack, hijack-dll-guid, j2k-dll-dll, kb2269637, lotus-notes-address-book-hijacked, metasploit-windows-7-home-premium-6-1, pvefindaduser-exe, vulnerable, windows-7-home-premium-metasploit

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::