In Windows environments when an application or a service is starting it looks for a number of DLL’s in order to function properly. If these DLL’s doesn’t exist or are implemented in an insecure way (DLL’s are called without using a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.
It should be noted that when an application needs to load a DLL it will go through the following order:
- The directory from which the application is loaded
- The current working directory
- Directories in the system PATH environment variable
- Directories in the user PATH environment variable
Step 1 – Processes with Missing DLL’s
The first step is to list all the processes on the system and discover these processes which are running as SYSTEM and are missing DLL’s. This can be done just by using the process monitor tool from Sysinternals and by applying the filters below:
Process Monitor will identify if there is any DLL that the application tries to load and the actual path that the application is looking for the missing DLL.
In this example the process Bginfo.exe is missing several DLL files which possibly can be used for privilege escalation.
Step 2 – Folder Permissions
By default if a software is installed on the C:\ directory instead of the C:\Program Files then authenticated users will have write access on that directory. Additionally software like Perl, Python, Ruby etc. usually are added to Path variable. This give the opportunity of privilege escalation since the user can write a malicious DLL in that directory which is going to be loaded the next time that the process will restart with the permission of that process.
Step 3 – DLL Hijacking
Metasploit can be used in order to generate a DLL that will contain a payload which will return a session with the privileges of the service.
The process Bginfo.exe it is running as SYSTEM which means these privileges will be granted to the user upon restart of the service since the DLL with the malicious payload will be loaded and executed by the process.
As it has been identified above the process is missing the Riched32.dll so the pentestlab.dll needs to be renamed as Riched32.dll. This will confuse the application and it will try to load it as the application will think that this is a legitimate DLL. This malicious DLL needs to be dropped in one of the folders that windows are loading DLL files.
As it can be see below when the service restarted a Meterpreter session opened with SYSTEM privileges through DLL hijacking.
The process of DLL hijacking can be done also through PowerSploit since it contains three modules that can assist in the identification of services that are missing DLL’s, discovery of folders that users have modification permissions and generation of DLL’s.
The module Find-ProcessDLLHijack will identify all the processes on the system that are trying to load DLL’s which are missing.
The next step is the identification of paths that the user can modify the content. The folders identified will be the ones that the malicious .DLL needs to be planted.
The last step is to generate the hijackable DLL into one of the folders that have been identified above with Modify (M) permissions.
In order to be able to escalate privileges via DLL hijacking the following conditions needs to be in place:
- Write Permissions on a system folder
- Software installation in a non-default directory
- A service that is running as system and is missing a DLL
- Restart of the service
Discovering applications that are not installed in the Program files it is something common as except of third-party applications that are not forced to be installed in that path there is a possibility of a custom-made software to be found outside of these protected folders. Additionally there are a number of windows services like IKEEXT (IKE and AuthIP IPsec Keying Modules) that are missing DLL’s (wlbsctrl.dll) and can be exploited as well either manually or automatically. For IKEEXT there is a specific Metasploit module: