Microsoft Expression Design wintab32.dll Library Loading

Added: 04/25/2012
CVE: CVE-2012-0016
BID: 52375
OSVDB: 80001

Background

Microsoft Expression Design is a commercial professional illustration vector and raster graphic design tool for web images.

Problem

Microsoft Expression Design contains a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for the wintab32.dll library. This path includes directories that may not be trusted or under user control. By placing a custom version of wintab32.dll in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program if a user can be tricked into opening a .design file from the local file system or a USB drive in some cases. This attack can be leveraged remotely by placing the malicious wintab32.dll on a network share or extracted archive downloaded from a remote source.

Resolution

Apply the patch referenced in Microsoft Security Bulletin MS12-022.

References

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

Limitations

This exploit has been tested on Microsoft Expression Design 2 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).

The executable smbclient must be available on the SAINT host, and a valid SMB user with permission to write to the SMB share is required. The SMB password is not allowed to contain single quotes (').

The target must be able to access the specified SMB share anonymously.

Platforms

Windows

Back to exploit index