A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows’ WinSxS folder, incident response company Security Joes reports.
Typically, DLL search order hijacking abuses applications that do not specify the full path of a required library or file, but rely on a predefined search order to locate it.
Attackers place a malicious DLL in a folder prioritized in the search order, typically in the application’s working directory, so that it is loaded before the legitimate library the application needs. In some instances, the attackers also drop a legitimate but vulnerable application to abuse for DLL loading.
“Manipulating this loading process allows threat actors to inject and execute unauthorized code within the memory space of a trusted process, effectively deceiving security tools and analysts,” Security Joes explains.
According to the cybersecurity firm, attackers can deliberately target files located in the WinSxS folder to make their attacks stealthier while eliminating the need for dropping additional binaries or obtaining high privileges to execute code within applications located in a Windows folder.
The WinSxS (Windows Side by Side) folder stores various versions of important system files, including DLLs, ensuring application compatibility and system integrity, and facilitating the activation or deactivation of Windows features without additional installations.
“In practical terms, during the installation of Windows components, updates, or software applications, files are systematically stored in the WinSxS directory. This directory acts as a centralized repository for system files, particularly DLLs,” Security Joes explains.
As part of its research, the cybersecurity firm first identified a vulnerable binary within the WinSxS folder, then abused Windows’ behavior when searching for system files to ensure that a crafted DLL placed in a custom folder on the desktop is loaded by the binary using DLL search order hijacking.
“In addition to the custom DLL, we have also developed an executable with the sole purpose of executing all other binaries located in the WinSxS folder and monitoring their operations. This executable is designed to identify vulnerable files residing in the WinSxS folder,” the cybersecurity firm says.
Some of the binaries in the WinSxS folder, the company discovered, were searching for DLLs in the custom desktop folder, suggesting that they would load the crafted library if it was to be renamed to match the expected DLL file the executables were searching for.
According to Security Joes, an attacker could launch a command from a shell that uses the custom folder as the working directory, without having to move the vulnerable binary outside the WinSxS folder.
“This action will lead the targeted binary to execute our DLL since it will only locate it inside our directory. This highlights the power of our implementation, which only requires a command line and a DLL to be injected,” Security Joes notes.
By relying on vulnerable executables located in WinSxS, this technique improves and simplifies the infection chain relying on DLL search order hijacking, as it eliminates the need for dropping a vulnerable application. Furthermore, the technique can be used to target Windows 10 and 11 systems, the cybersecurity firm points out.