Consequently, it provides a simple way for a malicious actor to have a predictable location to inject their shell code when they find a vulnerability in a component.īecause of the way Detours is typically used, it is injected in most of the processes on a system. The specific concern with this defect is that it essentially defeats the protections provided by DEP, ASLR, and SafeSEH in any process where the vulnerable version of Detours is present. Additionally, Microsoft informed our security incident team that they have reached out to other vendors who are using the Detours library to ensure they are aware of the issue. We contacted Microsoft and reported the issue at the time we discovered it and a fix was made available to vendors on March, 21, 2013 at no cost. Analyzing the code, we realized that there was an error in the implementation.īecause of the license agreement associated with this code, we cannot show you the fragment that was the cause. After we verified it was not our own doing, we then decided to inspect the Detours source code. They were the common Win32 dlls that one would typically intercept methods for, such as Kernel32.dll.Īt first we assumed we had done something wrong in our own code and so we did a thorough inspection and security review on how we were performing the function hooking. What was interesting, and led to clues of what might be the cause, was that it was only the dlls that had functions we were actively trying to hook. This was quite alarming to us, because a dll should not be writeable when loaded into memory. During one of our research projects earlier this year, we noticed a peculiar pattern on Windows systems where processes we were hooking had a change in the in-memory permissions, which marked the headers of the modules from the normal READ/EXECUTE to now include WRITE as well. We have used this library in our own security products at Cisco (both CSA and An圜onnect) to provide certain security functions on the system. Because the injection is typically applied to a large number of processes running under various permissions, extra care must be taken to ensure the library and its usage are very carefully reviewed by engineers with a strong understanding of the implications of such wide hooking. The most common way this is done is through the AppInit_Dlls registry value. It is sold for commercial use to various vendors that build products ranging from security to gaming applications.ĭetours is often injected into most or all of the processes, either system-wide or in the context of the logged in user. Detours is a library offered by Microsoft Research for interception of functions on x86 and 圆4 platforms.
0 kommentar(er)
