We previously covered DLL Hijacking when we discovered extensive vulnerabilities in .NET, which potentially open any .NET application to such attacks.
Additionally, this is not the first time that Microsoft signed files are detected as vulnerable, and the list also potentially includes some Windows related executables as a recent research has shown.
The initial discovery
A Deceptive Bytes team member tried starting Process Explorer while having the same DLL used to discover the .NET vulnerability in the same shared folder as the app, which led him to detect the first app in the SysInternals suite that is vulnerable.
The extensive discovery
The Deceptive Bytes team decided to check if it just occurs specifically with Process Explorer or if it’s widespread and there are other tools in the SysInternals suite that are susceptible as well.
The team used Dependency Walker (also by Microsoft) to find all the DLLs imported to the SysInternals suite and then tested some of the more common apps, here are some examples:
RDC Manager https://www.youtube.com/watch?v=eoWSGtELuOY
Of course cryptbase.dll is just an example and it is not the only one as many imported DLL in SysInternals can be weaponized and since SysInternals tools are signed by Microsoft, these attacks can easily bypass existing security tools and go undetected.
Microsoft provided the following response after a month:
Thank you again for your submission to MSRC. Our engineers have investigated the report and we have informed the appropriate team about the issues you reported. However, this case does not meet the bar for servicing by MSRC and we will be closing this case. Our product group will address the issue as needed.
Please continue your vulnerability research and help us protect our customers. Also, check out the Microsoft Bounty Program for your future research: https://www.microsoft.com/en-us/msrc/bounty
Thank you, and we look forward to more submissions from you in the future!
Thank you very much for working with us.
While previous suggestions we provided were meant for developers, the current vulnerabilities cannot be closed/prevented directly as Microsoft is responsible to close the vulnerability, which could take a while, if at all.
Ironically, according to Microsoft’s DLL security documentation, you can use SysInternals’ Process Monitor to check if related events occurred and you can also utilize existing security tools like EDR/XDR to search for inconsistent executions related to SysInternals’ tools.
To prevent such attacks, it’s recommended that you use Active Endpoint Deception which both creates an unattractive environment for attackers to deter them from executing in the first place and also detects such deceitful behaviors by malware before the malicious payload executes.
Contact us if you want to see a demo and to receive more information