Solve : Wiki leaks?

1.	Solve : Wiki leaks?
Answer» So this page seems to be a hot topic today, unfortunitly I dont REALLY understand much of the technical side. Anyone want to dumb this down for me? https://wikileaks.org/ciav7p1/ Sounds super interesting though!It means that the big bad man is after your data.it is basically saying Uncle Sam has his eyes on youLittle less dumb por favor? Thanks guys..The CIA effectively had an archive of exploits in various software that they were using to gain access to systems. It's highly unlikely these were ever utilized against everyday citizens, but that they remained undisclosed in order to continue being utilized for intelligence efforts has been considered questionable, as it is argued to be against the common interest of Americans.The CIA-Wiki topic is widely considered elsewhere. It is not a good topic for this forum. (No AV can stop it.) Some media in the UK and EU have published stories about the CIA. So far this thread is okay, but let's keep it from getting political. Thank you.https://wikileaks.org/ciav7p1/cms/index.html Is that a list of the Various softwares you mentioned BC_Programmer if so what is the general basis behind a DLL Hijack? I see some of the tools a lot of people use in that DLL Hijack including Skype, Notepad++, ect..OK. a DLL Hijack is something we can talk about without the political stuff. A word of caution. Some information about 'DLL Hijack' is so EXPLICIT that we would be telling people how to do it at home. IMO, this link is safe and and the same time correct. https://www.exploit-db.com/docs/31687.pdf Dynamic-Link Library Hijacking by Max “RIVAL” Quote Dynamic-Link Library Hijacking Max “RIVAL” xxxxxxxxxxxxxxxx [links removed.] xxxxxxxxxxxxxxx Abstract The aim of this paper is to BRIEFLY discuss DLL Hijacking vulnerabilities and the techniques used to mitigate and fix them. This paper is aimed towards people with a basic understanding of Dynamic-Link Libraries and how they can be used in applications, however provides certain points of information for those who do not. Here is a key point: Quote Programmers often don't specify an absolute path to the DLL file they want to use. This would have caused the problem of the DLL not being found and used, however Microsoft came up with the Dynamic-Link Library Search Order, which runs at the application's load time, to solve this issue. By default, the first item found is the item that is used. The search order is as follows: You can imagine this feature can be exploited. DLL Hijack is not just a matter of replacing one legal program with a bogus program with the same name. I is not so simple. Read the full text. Quote from: EricA. on March 09, 2017, 03:39:42 PM https://wikileaks.org/ciav7p1/cms/index.html Is that a list of the Various softwares you mentioned BC_Programmer if so what is the general basis behind a DLL Hijack? I see some of the tools a lot of people use in that DLL Hijack including Skype, Notepad++, ect.. You make software load "your" DLL, instead of the one intended. Then you can run code within the security context of that program. You do this by putting it on the Library Search path Geek mentioned, but "before" the actual DLL would be found in the order. For example, let's say we have GAME.EXE running, and it want's to load LIBRARY.DLL. So Windows now has to find it. First it looks in the directory where the executable is, then it looks in the Windows System directory (C:\Windows\System32) then it looks the Windows Directory, then it looks in the current directory, and then it looks at all the folders specified in the PATH environment variable. Source It's worth noting that this order directly contradicts what the order is stated to be in Geek-9pm's link. The Library Search order is different if a "SafeDLLSearchMode" is enabled. This has been enabled by default since Windows XP SP2 and causes the Current Directory to be searched after the Windows System directories. This makes everything in the posted page unusable; it relies on the current directory being searched before the standard system directories, which hasn't been the case for over a decade- it wasn't even relevant when it was written, not t hat it is my place to question such heavyweight researchers like 'Max "RIVAL"' DLL hijacking now requires a program to be specifically programmed to load from insecure locations (eg hard-coded or soft-coded paths) or to have insecure extensibility features that allow such things to happen. Skype isn't vulnerable, but it's Installer is; it doesn't rely on the Windows Search Order and specifically looks in the current directory for msi.dll, which means placing a malicious msi.dll in that folder will allow malicious code to execute. Otherwise, though, it requires administrator privileges to place the malicious DLL in a folder to have it be found first, which means it's seldom an infection vector but rather a payload action (eg something you do after you've taken control of a system). realistically it is somewhat overstated; it's just gathered information that for the most PART was already freely available on the INTERNET, mostly a set of tips and tricks it looks like for how to do their Job. If your paranoid it doesn't mean they aren't out to get you... Quote not t hat it is my place to question such heavyweight researchers like 'Max "RIVAL"' The objective is to help others understand the concept, not to provide a real recipe for malware. The information I gave wail not help a newbie write malware. As yu mentioned, it is out of date. The objective is actually to help people here with PC issues...with accurate and concise information... Not off-handed quotes from someone you found on some web site search... Quote from: patio on March 09, 2017, 07:28:30 PM The objective is actually to help people here with PC issues...with accurate and concise information... Not off-handed quotes from someone you found on some web site search... Please read the posted link. He does not tell yu how to make malware, but he does tell how to spot it by explaining how the exploit works. The issue for PC users is how to spot the possibility of a DLL hijack. The bogus DLL is in front of the search path. Quote from: Geek-9pm on March 09, 2017, 08:02:23 PM He does not tell yu how to make malware, but he does tell how to spot it by explaining how the exploit works. There is no difference between them. The only reason the "paper" doesn't describe how to make Malware is because it's wrong.

Answer»

So this page seems to be a hot topic today, unfortunitly I dont REALLY understand much of the technical side. Anyone want to dumb this down for me? https://wikileaks.org/ciav7p1/ Sounds super interesting though!It means that the big bad man is after your data.it is basically saying Uncle Sam has his eyes on youLittle less dumb por favor? Thanks guys..The CIA effectively had an archive of exploits in various software that they were using to gain access to systems.

It's highly unlikely these were ever utilized against everyday citizens, but that they remained undisclosed in order to continue being utilized for intelligence efforts has been considered questionable, as it is argued to be against the common interest of Americans.The CIA-Wiki topic is widely considered elsewhere.
It is not a good topic for this forum. (No AV can stop it.)
Some media in the UK and EU have published stories about the CIA.

So far this thread is okay, but let's keep it from getting political. Thank you.https://wikileaks.org/ciav7p1/cms/index.html
Is that a list of the Various softwares you mentioned BC_Programmer if so what is the general basis behind a DLL Hijack?
I see some of the tools a lot of people use in that DLL Hijack including Skype, Notepad++, ect..OK. a DLL Hijack is something we can talk about without the political stuff.
A word of caution. Some information about 'DLL Hijack' is so EXPLICIT that we would be telling people how to do it at home.

IMO, this link is safe and and the same time correct.
https://www.exploit-db.com/docs/31687.pdf
Dynamic-Link Library Hijacking by Max “RIVAL”
Quote

Dynamic-Link Library Hijacking
Max “RIVAL”
xxxxxxxxxxxxxxxx [links removed.]
xxxxxxxxxxxxxxx
Abstract
The aim of this paper is to BRIEFLY discuss DLL
Hijacking vulnerabilities and the techniques used to
mitigate and fix them. This paper is aimed towards
people with a basic understanding of Dynamic-Link
Libraries and how they can be used in applications,
however provides certain points of information for
those who do not.

Here is a key point:
Quote

Programmers often don't specify an absolute path to
the DLL file they want to use. This would have caused
the problem of the DLL not being found and used,
however Microsoft came up with the Dynamic-Link
Library Search Order, which runs at the application's
load time, to solve this issue. By default, the first item
found is the item that is used. The search order is as
follows:

You can imagine this feature can be exploited.
DLL Hijack is not just a matter of replacing one legal program with a bogus program with the same name. I is not so simple.
Read the full text.

Quote from: EricA. on March 09, 2017, 03:39:42 PM

https://wikileaks.org/ciav7p1/cms/index.html
Is that a list of the Various softwares you mentioned BC_Programmer if so what is the general basis behind a DLL Hijack?
I see some of the tools a lot of people use in that DLL Hijack including Skype, Notepad++, ect..

You make software load "your" DLL, instead of the one intended. Then you can run code within the security context of that program. You do this by putting it on the Library Search path Geek mentioned, but "before" the actual DLL would be found in the order.

For example, let's say we have GAME.EXE running, and it want's to load LIBRARY.DLL.

So Windows now has to find it. First it looks in the directory where the executable is, then it looks in the Windows System directory (C:\Windows\System32) then it looks the Windows Directory, then it looks in the current directory, and then it looks at all the folders specified in the PATH environment variable. Source

It's worth noting that this order directly contradicts what the order is stated to be in Geek-9pm's link. The Library Search order is different if a "SafeDLLSearchMode" is enabled. This has been enabled by default since Windows XP SP2 and causes the Current Directory to be searched after the Windows System directories. This makes everything in the posted page unusable; it relies on the current directory being searched before the standard system directories, which hasn't been the case for over a decade- it wasn't even relevant when it was written, not t hat it is my place to question such heavyweight researchers like 'Max "RIVAL"'

DLL hijacking now requires a program to be specifically programmed to load from insecure locations (eg hard-coded or soft-coded paths) or to have insecure extensibility features that allow such things to happen. Skype isn't vulnerable, but it's Installer is; it doesn't rely on the Windows Search Order and specifically looks in the current directory for msi.dll, which means placing a malicious msi.dll in that folder will allow malicious code to execute.

Otherwise, though, it requires administrator privileges to place the malicious DLL in a folder to have it be found first, which means it's seldom an infection vector but rather a payload action (eg something you do after you've taken control of a system).

realistically it is somewhat overstated; it's just gathered information that for the most PART was already freely available on the INTERNET, mostly a set of tips and tricks it looks like for how to do their Job. If your paranoid it doesn't mean they aren't out to get you... Quote

not t hat it is my place to question such heavyweight researchers like 'Max "RIVAL"'

The objective is to help others understand the concept, not to provide a real recipe for malware. The information I gave wail not help a newbie write malware. As yu mentioned, it is out of date. The objective is actually to help people here with PC issues...with accurate and concise information...
Not off-handed quotes from someone you found on some web site search... Quote from: patio on March 09, 2017, 07:28:30 PM

The objective is actually to help people here with PC issues...with accurate and concise information...
Not off-handed quotes from someone you found on some web site search...

Please read the posted link. He does not tell yu how to make malware, but he does tell how to spot it by explaining how the exploit works. The issue for PC users is how to spot the possibility of a DLL hijack. The bogus DLL is in front of the search path. Quote from: Geek-9pm on March 09, 2017, 08:02:23 PM

He does not tell yu how to make malware, but he does tell how to spot it by explaining how the exploit works.

There is no difference between them. The only reason the "paper" doesn't describe how to make Malware is because it's wrong.

Solve : Wiki leaks?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment