In 2023, according to a study published by Qualys, a total of 26,447 vulnerabilities were recorded, marking a milestone as the year with the largest number of vulnerabilities published in history. With the goal of entering 2024 with a renewed awareness of the importance of cybersecurity, it is crucial to be aware of the new threats that have emerged.
Although DLL hijacking is a long-standing vulnerability, a recent study by SecurityJoes has identified a new variation of this technique. This variant takes advantage of the binaries present in the WinSxS Folder, which expands the possibilities for potential attackers.
WinSxS folder:
The WinSxS folder is a critical component of the system, since it is where Windows stores the files for the updates that are installed, the backup copies and restore points that the computer automatically generates every time a new application is installed. That is why the content of this folder usually increases over time, thus expanding the attack surface. It is usually located in the “C:\Windows\WinSxS” directory.
Dynamic Link Libraries (DLL):
DLLs are files that contain executable code and parts of software that can be used by different applications at the same time. These files, in the Windows ecosystem, allow the reuse of functions and resources by different programs without the need to replicate the code, which optimizes memory use and facilitates software development.
DLL hijacking capitalizes on the natural method by which Windows programs find and access Dynamic Link Libraries (DLLs). This process follows a specific order to locate the required DLLs:
1. The directory where the application is run from
2. The C folder: Windows Syste m32
3. The C: Windows Syste m folder
4. The C: Windows folder
5. The current working directory
6. Directors listed in the system PATH environment variable.
7. Directors listed in the user's PATH environment variable.
When an attacker manages to load a malicious DLL with the same name as a legitimate dynamic library and this malicious version is found earlier in the search sequence than the authentic version, the application loads the malicious DLL. This can lead to arbitrary code execution, allowing the attacker to perform actions such as establishing a reverse shell, providing unauthorized remote access to the compromised system. Windows, in its default configuration, does not perform an authenticity check on DLLs before loading them.
Compared to traditional methods that involve uploading a malicious executable file, in this case several malicious executables present in the WinSxS folder are exploited for DLL hijacking. This technique prevents privilege escalation in order to inject malicious code, since legitimate system resources are used. An additional advantage of this new approach is that it is more likely to go unnoticed by system antivirus and raise alerts, since legitimate system executables are used to carry out malicious actions, which reduces the possibility of detection by generating less suspicious activity.
If you found this an interesting topic, we leave you a link on how to evade AMSI using DLL Hijacking and if you want to review basic concepts about DLL Hijacking you can also do it.
Xuquiang Liu Xu, Pentester Jr. at Zerolynx.
