[Done] DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post bugreports for the Windows version here
BarryG
Addict
Addict
Posts: 3205
Joined: Thu Apr 18, 2019 8:17 am

Re: DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by BarryG »

I just removed that comment because you provided the zip file now. Thank you!

However, I still can't reproduce it here. My "calc.exe" is in "C:\Windows\System32".

Did you see my Process Monitor snippet? It proves my exe is not touching your custom "uxtheme.dll" file at all; hence no vulnerability. Don't know why my PC is protecting me from using the custom DLL but yours isn't. I use Windows Defender only, but it didn't make a difference when I disabled it as a test.

I notice you didn't hard-code the "calc.exe" path in your DLL... maybe that's why? Try re-compiling it with a hard path so I can test again?
User avatar
Kukulkan
Addict
Addict
Posts: 1348
Joined: Mon Jun 06, 2005 2:35 pm
Location: germany
Contact:

Re: DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by Kukulkan »

-

I will stop discussion here now. Thanks for everybody that participated.

I have shown all sources, wrote all my arguments and provided sourcecode and executables (exe and dll) for your own tests.

If you don't believe me that there's a problem or you cannot reproduce it, then that's okay. Just carry on as you are and relax.

If you believe me or you have seen or reproduced the problem, you might need to either fix the manifest (see my post above) for a temporary(!) workaround or wait until Fred fixes it. Not all executables might be affected, depending on the PB functions used (see my very first post).

I talked to Fred and he will provide a fix. I pay for his effort, which is fine for me. Therefore, for me that is solved.

Thanks!

------------------

PS: Barry, I don't want to keep your question open. This is how it looks for me (exe file from the ZIP). Due to this, I am able to do DLL hijacking with uxtheme.dll and msimg32.dll:

Image

I don't know why it works for you. I have several systems confirming the issue. Maybe there are other environment factors also affecting this.
BarryG
Addict
Addict
Posts: 3205
Joined: Thu Apr 18, 2019 8:17 am

Re: DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by BarryG »

Kukulkan wrote: Fri Nov 24, 2023 12:57 pmBarry, I don't want to keep your question open
Okay, mate. It's all good. Still friends, right? :shock:
User avatar
Mijikai
Addict
Addict
Posts: 1359
Joined: Sun Sep 11, 2016 2:17 pm

Re: DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by Mijikai »

Please just do this:

Code: Select all

EnableExplicit

Procedure.s DllPath(Name.s)
  Protected handle.i
  Protected path.s
  handle = GetModuleHandle_(Name)
  If handle
    path = Space(#MAX_PATH)
    If GetModuleFileName_(handle,@path,#MAX_PATH)
      ProcedureReturn GetPathPart(path)
    EndIf
  EndIf
  ProcedureReturn #Null$
EndProcedure

Debug DllPath("uxtheme.dll")

End
User avatar
spikey
Enthusiast
Enthusiast
Posts: 575
Joined: Wed Sep 22, 2010 1:17 pm
Location: United Kingdom

Re: DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by spikey »

I see I'm a bit late now to this discussion but I've been doing some testing this morning and although I can't get the problem to exhibit with uxtheme.dll I can verify the problem with another system DLL. I can verify that the "malicious" code in my hijacked DLL was successfully executed too. (I'm not going to name the DLL publicly though).

Update: I can also now verify that modifying the manifest is a successful workaround too :D
pamen
Enthusiast
Enthusiast
Posts: 172
Joined: Sat Dec 31, 2022 12:24 pm
Location: Cyprus
Contact:

Re: DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by pamen »

Kukulkan - you are very correct in what you write.
The problem is real, easy to reproduce and fixable partly with manifest.

Unfortunately this is only the easy way to do injection, there is also a way to do injection without any local file - purely by replacing dll in the process memory.
To prevent this your executable needs to be hardened, usually using tools like Enigma Virtual Box, I'm not sure if old and trusted PELock can do it as well. With Enigma you have basically a pseudo RISC VM running all your code, which prevents loading of dlls from the directory or memory.

Big downside to this is that in most cases all AV engines will flag your executable as very, very malicious (so your customers need to be aware)
S.T.V.B.E.E.V.
User avatar
Kukulkan
Addict
Addict
Posts: 1348
Joined: Mon Jun 06, 2005 2:35 pm
Location: germany
Contact:

Re: DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by Kukulkan »

BarryG wrote: Fri Nov 24, 2023 1:05 pm Okay, mate. It's all good. Still friends, right? :shock:
Sure. All good :wink:
pamen wrote: Fri Nov 24, 2023 4:08 pm Unfortunately this is only the easy way to do injection, there is also a way to do injection without any local file - purely by replacing dll in the process memory.
Thanks for pointing out. I think the method you describe needs an attacker being able to already run some executable on your machine, right? The risk is there, but much lower than the one for simple DLL hijacking. I think I will not protect my apps against this. But interesting to know. :D
pamen
Enthusiast
Enthusiast
Posts: 172
Joined: Sat Dec 31, 2022 12:24 pm
Location: Cyprus
Contact:

Re: DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by pamen »

Thanks for pointing out. I think the method you describe needs an attacker being able to already run some executable on your machine, right? The risk is there, but much lower than the one for simple DLL hijacking. I think I will not protect my apps against this. But interesting to know. :D
Yes, I do pen-testing, and for pen-testing purposes it is enough to prevent incorrect on-disk dll loading.
If an application is hijacked by another process - you cannot do too much apart from virtualizing it, even then it is just very hard, not Impossible.
Once attacker has Admin access - everything can always be broken, Windows, Mac, Linux and so on.

So step by step:
Install in Program Files (R/O by default on newer Win) or set directory permission during your setup to R/O apart from admin.
If client agrees to ignore AV: use virtualization and merge all your files into single (encrypted) executable, if possible, with anti-debug protections
MD5 your own libs, do not load if there is a mismatch
Have manifest consistent with the OS bitness and version for any dlls discovered - this could be maybe done by Fred by just loading first from Windows / PATH, then from local. (albeit it may cause issues as it is the opposite from normal sequence - first local, then global)
S.T.V.B.E.E.V.
Fred
Administrator
Administrator
Posts: 16522
Joined: Fri May 17, 2002 4:39 pm
Location: France
Contact:

Re: [Done] DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by Fred »

Fixed.
mikejs
Enthusiast
Enthusiast
Posts: 160
Joined: Thu Oct 21, 2010 9:46 pm

Re: [Done] DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by mikejs »

Hi all,

Just to clarify the scope of this - does this affect all windows PB executables compiled with 6.03 and earlier?

Or do the compilation options matter? E.g. are console programs affected?
User avatar
Kukulkan
Addict
Addict
Posts: 1348
Joined: Mon Jun 06, 2005 2:35 pm
Location: germany
Contact:

Re: [Done] DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by Kukulkan »

It affects everything compiled for Windows with PB 6.03 (x86 and x64) and earlier.
mikejs
Enthusiast
Enthusiast
Posts: 160
Joined: Thu Oct 21, 2010 9:46 pm

Re: [Done] DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by mikejs »

Kukulkan wrote: Tue Dec 12, 2023 3:08 pm It affects everything compiled for Windows with PB 6.03 (x86 and x64) and earlier.
Straightforward, then - recompile everything when 6.04 comes out :)
User avatar
RichAlgeni
Addict
Addict
Posts: 914
Joined: Wed Sep 22, 2010 1:50 am
Location: Bradenton, FL

Re: [Done] DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by RichAlgeni »

Very interesting problem and discussion. Kind of makes me want to use XIncludes and the specific opening of libraries in code.

Will this ever be foolproof? No. We'll do the best we can!
Smitis
New User
New User
Posts: 2
Joined: Mon Sep 04, 2023 11:58 am

Re: [Done] DLL hijacking on uxtheme.dll. Many PB programs affected? Fix?

Post by Smitis »

I use uxtheme to portabilize programs.
This is a legal way to change the behavior of a program without violating the license.
And this is not a hack.
And this is not a vulnerability.
Post Reply