NewVersionTester

DLL Hijacking vulnerability

5 posts in this topic




Share this post


Link to post
Share on other sites
16 hours ago, spudw2k said:

I'm sure this is an issue with a galaxy of software applications; nothing unique to AutoIt.

true; but the fact that everyone's a fool doesn't mean you should be one too.

when you run your AutoIt compiled software in production environment, where security is an issue (especially when you have a pedant CISSO on your back), this issue requires at least minor attention. luckily, if you develop a software with AutoIt and deploy it, you can mitigate the issue quite easily - even if only in a formal manner - like this:

regarding compiled AutoIt scripts: if they are part of an installed program (i.e. they reside in a protected folder, like Program Files) you need do nothing.

if designed to run as portable, just issue a warning in your website/documentation/EULA or wherever users are bound to see it: "do not launch app.exe directly from the download location; instead, create a new folder, copy or move app.exe to that folder. and launch it from there."

as for the AutoIt & SciTE installers - similar notice can be placed on the download page.

now, all these are formal means of mitigation; they work by putting the responsibility of security in the users' hands. surprisingly, this is actually acceptable by common security norms.

however, if the AutoIt dev team wishes to provide a technical solution, it should not be that hard - make autoit3.exe load DLL's in non-default path order, i.e. first use the ones located in Windows installation path, and than use the ones in the exe path. this link has relevant info.

anyways, as for the AutoIt & SciTE installers - i think the mentioned notice is sufficient. you install AutoIt very rarely (compared to running a script, native or compiled), so i don't think messing with it is worthwhile.

Share this post


Link to post
Share on other sites
3 hours ago, orbs said:

now, all these are formal means of mitigation; they work by putting the responsibility of security in the users' hands. surprisingly, this is actually acceptable by common security norms.

Of course it is.  Certainly a company must take measures when are where they can without inhibiting the user, but the best way to protect your users is to educate them how to protect themselves.  Now a disclaimer that no one reads when they login to a system...that's not what I'm talking about.  That's just for legal purposes; i'm talking about actual user awareness training.  Much in the same way, a disclaimer on a website only has the value of CYA measure for the software dev.  

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • Dent
      By Dent
      @Blueman @Damein
      Dear all,
      I couldn't find anything that related exactly to what I'm trying to achieve although I did find some examples from the two people I've tagged in which has gotten me so far.
      I understand this topic could be a contentious issue and perhaps that's why there's no threads that I could find that relate directly to it. If the subject is taboo then I'll completely understand it if this thread is deleted.
      I want to write a program that periodically posts the IP address and Geo/GPS location data to me some way e.g. ftp/POST/email - the back-story is below.
      Ok so recently I had a computer stolen from my office, the actual value of the computer is very low as it was 10 years old and just for basic office tasks. Whilst the important files were backed up I never got around to automating this process so I lost a couple of weeks work when it was stolen.
      Anyway, this computer was used mainly by one employee and as I wouldn't be at the office a lot of the time I would use VNC to help when they got stuck with a particular task. As the IP was dynamic I found the dynamic DNS solutions supported by the router not to be very reliable so I wrote a small AutoIt program that called the dynamic DNS update link every 15 minutes, this program was in the Start Menu -> Programs -> Start Up folder and worked fine. This computer was a desktop box with no Wifi so was connected via Ethernet.
      As the accounts on the machine are password protected, whoever ends up with the box is likely to format the HD and put a fresh OS on there so this program is unlikely to run again which is a shame because as it's a desktop box with no Wifi I could use the IP address to give to the Police who could get the users name and address by matching who that IP was assigned to at that time. This is very unlikely to be a coffee shop etc.
      So I'm a lot more security and disaster recovery minded now and have replaced that box with a laptop that the staff member can take home with them each day and it automatically backs up to OneDrive upon log in.
      I've put VNC and the dynamic DNS AutoIt program on there but as this is a laptop with Wifi it's obviously very portable and can be used to get online from more locations.
      What I want to do is create another program that gets the device location as well as the IP and sends it to me every 15 minutes or so. I'd plan to put this program in a Guest account that has no password so if this laptop were ever stolen the next user would actually be able to log in and this program would run. Even better would be for this program to be started as a service so it runs before logging in to an account, just like VNC does. Being a laptop it could be used by a thief or other unauthorised user in a coffee shop etc.
      The solution I have explored so far is have a local .htm file that is opened via AutoIt program which when it has loaded displays the latitude and longitude of the machine, the program then saves this to a file with IP address and date/time stamp and sends it to me somehow (I'll probably implement multiple ways of it notifying me just in case of firewalls). The instance of IE would load minimized and quit after the lat/long is read; as it is such a small page running locally this all happens very quickly so is hard for any user to detect and cancel/intercept.
      My only problem with this implementation is I can't find a way for the page to start the script and obtain the location without user interaction (clicking Allow). I know why this is like this, because it could be used to spy on peoples location so could be open to mis-use.
      So perhaps there is a better way, programmatically within AutoIt using Google Maps API (which I haven't looked into properly yet) to do this where there is no user interaction required?
      There are probably commercial applications to do just this (similar to FindMyiPhone) but I've not investigated the availability of those for Windows and don't see how such a commercial application would be any less open to mis-use so why not create my own little app if possible and avoid the cost.
    • usmiv4o
      By usmiv4o
      #cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.4.3 Author: usmiv4o Script Function: AutoIt script to check if files in directory are changed. It is usefull for security contra-inteligense measures. Function Name: LoadTripwireDB() Description: Loads database (text file tripwire.txt) and compare files in /test folder for changes. compares Hash (MD5) checksums. If they are not the same starts Initial() Function Name: Initial() Description: Checks directory and makes index of files and their MD5 checksums in text file (tripwire.txt) Function Name: Hush() Description: Checks file and returns its MD5 checksum. Requirement(s): Windows XP Return Value(s): On Success - Returns true. Files are the same as before. On Failure - return false. Example: LoadTripwireDB() #ce ---------------------------------------------------------------------------- #include <Crypt.au3> #include <File.au3> #include <Array.au3> $sDir = @ScriptDir & "\Test" $sFilePath = @ScriptDir & "\tripwire.txt" Func Hush(ByRef $sFile) $sRead = FileOpen( $sFile) $dHash = _Crypt_HashData($sRead, $CALG_MD5) ; Create a hash of the text entered. ConsoleWrite("Hash of file " & $sFile & " is " & $dHash & @CRLF) EndFunc ;ConsoleWrite("Files in Dir are " & $aScriptDir[0] & @CRLF) ;$sFilePath = @ScriptDir & "\Examples.txt" ;_FileWriteFromArray($sFilePath, $aScriptDir, 1) ;_ArrayDisplay($aScriptDir, "1D display") Func Initial() $aScriptDir = _FileListToArray($sDir) for $i = 1 To UBound($aScriptDir) - 1 $dHash = _Crypt_HashData($i, $CALG_MD5) ;ConsoleWrite("File " & $aScriptDir[$i] & " is " & $dHash & @CRLF) ConsoleWrite($aScriptDir[$i] & ":" & $dHash & @CRLF) ;Hush($aScriptDir[$i]) ;FileWrite $hFileOpen = FileOpen($sFilePath, $FO_APPEND) If $hFileOpen = -1 Then MsgBox($MB_SYSTEMMODAL, "", "An error occurred when reading the file.") EndIf FileWrite($hFileOpen, $aScriptDir[$i] & ":" & $dHash & @CRLF) Next EndFunc Func Monitor() $aScriptDir = _FileListToArray($sDir) for $i = 1 To UBound($aScriptDir) - 1 Next EndFunc Func LoadTripwireDB() $comparison_ok = false $dArray = _FileListToArray($sDir) ;directory $dArray0 = UBound($dArray) - 1 $fArray = FileReadToArray($sFilePath) ;file $fArray0 = UBound($fArray) ;_ArrayDisplay($dArray, "files array") if $dArray0 = $fArray0 Then ; are file same as recorded in txt file? ;ConsoleWrite("files in monitoring dir: " & $dArray[0] & " = file recorded: " & $fArray0 & @CRLF & $fArray[0]& @CRLF) for $i = 1 To UBound($dArray) - 1 ;ConsoleWrite("i = " & $i & @CRLF) $dHash = _Crypt_HashData($i, $CALG_MD5) ;binary ;$dHash = BinaryToString($dHash) $ffhash = StringSplit( $fArray[$i-1],":") $fhash = $ffhash[2] ;ConsoleWrite("IsBinary $dHash " & IsBinary($dHash) & @CRLF) if $dHash = $fhash Then ;if compared hashes are equal ;ConsoleWrite($fhash & ":" & $dHash & " equal" & @CRLF) ;ConsoleWrite("File: " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal: yes " & @CRLF) Else ;if compared hashes are not equal ;ConsoleWrite("File: " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal: not " & @CRLF) ;MsgBox(0,"hash md5",$fhash & ":" & $dHash & " not equal") EndIf Next ;ConsoleWrite("hashes are equal" & @CRLF) $comparison_ok = true Else ConsoleWrite("number of files in monitoring dir are not same as recorded" & @CRLF) ConsoleWrite("directory: " & $dArray[0] &":"& "files: " & UBound($fArray) - 1 & @CRLF) EndIf Return $comparison_ok EndFunc #main if LoadTripwireDB() = true Then ConsoleWrite(" hashes are equal " & @CRLF) ElseIf LoadTripwireDB() <> true Then ConsoleWrite(" hashes are not equal " & @CRLF) ConsoleWrite(" hashes are not equal " & @CRLF) Initial() EndIf  
      tripwire.au3
      tripwire.txt
    • Fenzik
      By Fenzik
      ; Title .........: Password
      ; AutoIt Version : 3.3.14.2
      ; Description ...: UDF to work with passwords. Mostly ported from Javascript at http:rumkin.com/tools/password/passchk.php and improved a bit
      ; Author(s) .....: Fenzik + Team Adaptech
      ; #CURRENT# =====================================================================================================================
      ;_Password_Generate
      ;_Password_GetcharsetSize
      ;_Password_GetEntropy
      ;_Password_IsCommonWord
      ;_Password_Startup
      ; ===============================================================================================================================
       
      It's my first UDF so please be nice.:)
       
      If somebody have better idea how to store common dictionary and frequency table please post here...
       
      Have fun!
       
      Fenzik
       
      Password.zip
    • Muhammad_Awais_Sharif
      By Muhammad_Awais_Sharif
      is it a good option to use _Crypt_DecryptData for a small password manager utility for personal use ?
       
    • Codefuser
      By Codefuser
      I am writing an obfuscator currently with quite a few features, as I have found no good obfuscators yet that are complex enough to be nearly impossible to deobfuscate (as of course it is impossible to reach a 100% level of obfuscation where no one can deobfuscate it).
      Current obfuscation methods include flow obfuscation, string encryption, proxy calls, unique renaming scheme (create gibberish WinAPI like name), junk codes, and removing all functions (merging them with the main script), traps to prevent automated deobfuscation, debugger detection, VM detection, moving strings to other parts of scripts (functions, proxy strings, etc), exit if not compiled, file integrity check. Decompile protection is also added (nothing that violates the reverse engineering clause of the ToS, I am using a PE loader with protections built into it.)
      Does anyone have any ideas for more obfuscation methods to add?