Windows Privilege Escalation: Hijacking DLLs
Hijacking DLLs
A dynamic Link Library (DLL) is a type of file containing resources that can be used by one or more programs at the same time to run successfully. These resources could be an image or a library of executable functions. Applications or services call DLLs to complete their execution and if they didn’t find the required DLLs then the application or service does not function properly. DLL files cannot be opened by end-users, they can only be opened by their associated application, which usually happens when the application starts up. Attackers can hijack DLLs by replacing the legitimate DLL with the malicious one, so when the application or service calls the required DLL, a malicious DLL will be loaded into the program and If the the application or service runs with administrative privileges, then the attacker can able to run malicious DLL with elevated privileges.
Applications or services have two following ways to search for their required DLLs:
Absolute Path
In absolute path, the application knows the location/path of required DLLs.
E.g. Path= C:\Windows\System32\required.dll
If the path is writeable, then the attacker can replace or modify “required.dll” with a malicious DLL.
Undefined Path
In the undefined path, the application knows the required DLL but it didn’t know about the location/path of the required DLLs.
E.g. Path= required.dll
In this case, windows application will use pre-define search paths to find DLLs and it will check these paths in the specific order. If safe DLL search mode is enabled then application or service search for the required DLL in the following order:
1- The directory from which the application loaded
2- C:\Windows\System32
3- C:\Windows\System
4- C:\Windows
5- The current working directory
6- The directories that are listed in the PATH environment variable.
If the safe DLL search mode is disabled then the application or service search for the required DLL in the following order:
1- The directory from which the application loaded
2- The current working directory
3- C:\Windows\System32
4- C:\Windows\System
5- C:\Windows
6- The directories that are listed in the PATH environment variable.
Idea Behind The Attack
The idea behind the attack is to find the service that is missing the required DLL file. If the service has an absolute path, check if the path is writeable and place a malicious DLL file in the absolute path. If the service has an undefined path, check all the paths mentioned above and determine if any of them is writeable and place a malicious DLL file in the writeable path.
Another technique for DLL hijacking is if the services have required DLL files and undefined path, check the search order mentioned above and if the attacker can place a malicious DLL file in a high priority search order path; then the malicious DLL file calls instead of the legitimate DLL file. For example, if safe DLL search mode is enabled and a legitimate DLL file is placed in the “C:\windows” location, then if the attacker can place a malicious DLL file in “C:\Windows\System”, the service calls a malicious DLL file because it is placed above in search order as compared to legitimate DLL file.
Lab Preparation
I am using “Heath Adams” Try hackme lab for testing this technique. You can create your own or can use the readymade lab from the given below link:
Attacker machine IP: 10.10.157.8
Victim Machine IP: 10.10.29.7
Low-Privilege User: user
Initial Access
After gaining initial access, we have a low privilege user access named “user”. The goal is to escalate it and create/add user “test” in the administrators group.
We can see in the above screenshot that only TCM user is the part of the Administrators group.
Reconnaissance
We required the following information to carry out our attack:
1- The service that has the required DLL file missing.
2- Name of the missing required DLL file
3- Path of the required DLL file
4- Permissions set on the path
I have tested winPEAS tool to check the required information but it only shows the DLL hijackable path and lists all the vulnerable services. Using this tool, we can’t able to relate vulnerable services with the DLL hijackable path. Further, we are unable to determine the name of the required missing DLL file.
I also tested PowerUp.ps1 tool, although it can find the DLL hijackable path and process hijackable DLL name but in my case, it didn’t show me the intended missing DLL file.
The only possible solution I have come to is to use the procmon tool but it required elevated privileges to run. We can transfer the vulnerable service to the attacker machine and analyze the service but this process required more time because you never know which service has a DLL file missing and you have to test every vulnerable service and analyzed its behavior. For testing purposes, I ran procmon on the target machine with elevated privileges and analyzed service “dllsvc” that is bound to the executable named “dllhijackmeservice.exe”
Note: If you have a better technique then do let me know in the comment section
Run procmon and set filters as mentioned in the screenshots:
After applying filters, check for the service executable named “dllhijackservice.exe”.
We can see that the missing DLL file is hijackme.dll. Further, we can see the service looks in the path “C:\Temp” which is writeable as shown in the below screenshot:
Weaponization
Creating A Payload:
We will create and add a user to the local administrator group. For this purpose, we have a payload based on the C language named “windows_dll.c”, we simply add the following command in system() function to achieve our purpose:
net user /add test P@ssword && net localgroup administrators test /addNow compile the payload file by typing the following in the command prompt:
x86_64-w64-mingw32-gcc windows.c –shared -o hijackme.dll(NOTE: if this is not installed, use ‘sudo apt install gcc-mingw-w64’)
We will save the custom DLL file with the name of the missing DLL for the dllhijackservice.exe service. In our case, we will hijack the “hijackme.dll” DLL.
Delivery
Transferring Malicious Executable
After creating a malicious payload, we transfer our malicious program to the victim machine. I am using a python webserver to transfer malicious executable and save it in C:\Temp.
Exploitation
Executing Malicious Payload
We can execute a malicious payload by restarting\starting the service dllsvc.
We can see that user “test” is successfully created and added in the Administrators group.
Prevention
· Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user’s home directory) [Mitre]
· Check permissions on files and folders thoroughly especially on critical servers and only allow authorized users to write/modify the objects.
· Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. [Mitre]
· Identify and block potentially malicious software executed through search order hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software. [Mitre]
