DLL hijacking vulnerabilities in Nirsoft tools

SecurityNightmares

Level 31
Verified
Jan 9, 2020
2,055
The Nirsoft tools are probably known to many Windows users. What is less known: The tools come along with nasty DLL hijacking vulnerabilities and should rather be avoided.



The topic has been bogged down here for quite some time and I have put it off again and again. Because on the one hand the Nirsoft tools promise support for various Windows problems. And on the other hand I don’t have to bother the developer without need. On the other hand, there are serious DLL hijacking vulnerabilities in the tools, and the developer doesn’t care. So every user should know what he is getting into.

What are the Nirsoft tools?
The Nirsoft tools are a collection of helpful Windows programs for various tasks, which are available for free. Behind the tools is the developer Nir Sofer, who describes himself as ‘an experienced developer with extensive knowledge of C++, .NET Framework, Windows API and reverse engineering of undocumented binary formats and encryption algorithms’. The tools are available on the website nirsoft.net. I myself have occasionally used one or the other program from the tool collection. All tools are portable programs and do not need to be installed.

The DLL hijacking vulnerabilities
It was the end of January 2020, when I came across the German article AdvancedRun 1.15 jetzt auch mit Kontextmenü-Eintrag published from the colleagues of deskmodder.de. This is a free tool from Nirsoft, with which you can start other programs with extended rights (administrator, system etc.). Actually a great thing, and since the tools are free of charge, the thought was there to present the whole thing in the blog.

NirSoft AdvancedRun


An impulse to run a security audit for the tool
However, due to a sudden impulse, I decided to run the downloaded tool over my testbed to detect vulnerabilities. A tool that uses administrator privileges during operation should have no DLL hijacking vulnerabilities.

DLL-Hijacking vulnerabilities in Nirsoft Tools


The whole thing ended not so well. Launching Advanced Run, I immediately received several warnings (see above figure) because the tool tries to reload dlls like dwmapi.dll, uxtheme.dll, version.dll etc. from its own directory. But also when trying to run another program like Regedit.exe with elevated privileges via the Run button, it triggers the same warning dialogs shown above (although I did not check if the called modules inherit the permissions – the UAC query comes later).

The testbed is provided by Stefan Kanthak, who deals with such security issues. You can download the file Forward.cab from his website and extract it into a folder. There is also a Sentinel.exe, which also has to be copied into this folder.
If a virus scanner jumps on when visiting the Kanthak website: It delivers the Eicar test virus in a data block attribute on its website to test whether browsers evaluate it and load it into memory for execution. A virus scanner should then be activated.
Later, the software to be tested is copied into the folder of the test bed and executed. If there are alarms as shown in the screenshot above, there is a DLL hijacking vulnerability.
Problem is: There is a vulnerability that is frowned upon in ‘good programming practice’. It should be fixed, this is possible. I’ve warned here in the blog about several tools with such vulnerabilities, most of the time it doesn’t help or I catches some comments like why I publish such a thing and I could do it better. But there are also the positive examples for such cases (see below).

Why DLL Hijacking is critical
The observed behavior means that all DLL files reloaded by Advanced Run are also executed as a process with administrative privileges. The user explicitly grants these permissions to the called processes.

Normally this works well, because Windows does not find the expected DLL files in the program’s folder and then searches in the Windows folders and loads the required DLL there. The problem: If such a vulnerability is known, a malware could exploit it.

It is sufficient for the Malware to place DLLs with the expected names in the relevant folder. In order not to attract attention, the Malware could be informed by an event when accessing the folder with the Tools (usually this will be the Downloads folder). Then there would still be time to copy the DLLs into the folder. The user grant the program (intentional) elevated permissions and the Malware DLLs are piggybacked by the DLL hijacking vulnerability receives also the elevated permissions. Advanced Run is virtually an ideal cloak of invisibility for Malware, which could then gain elevated privileges.

For example, Microsoft has published the support article KB2533623 as a Security Advisory (last updated in January 2020), in which this risk is pointed out. There was even an update for older Windows versions to help developers prevent exploitation of the DLL hijacking vulnerability. Another security advisory KB2269637 also addresses this vulnerability.

Sobering experiences with the developer
I then downloaded some more Nirsoft tools from the developer’s website and also ran them over the testbed. The result was the same, they all have a DLL hijacking vulnerability. Developers have the possibility to specify from which paths or folders the system DLLs should be reloaded. If Sofer Nir is an experienced developer, it should be an easy fix.

In December 2019 I informed the developers of the AdwCleaner of Malwarebytes about such a DLL hijacking vulnerability. They reacted immediately and released a bug-fixed version for a few days (see the blog posts AdwCleaner 8.0.1 closes a DLL Hijacking vulnerability). In April, another mishap happened to them, which was promptly fixed after I informed them (see AdwCleaner 8.0.4 closes again a DLL Hijacking vulnerability).

So in January 2020 I contacted Sofer Nir directly via his contact form and raised the issue. Connected to this was the request to react there and give feedback if necessary because I want to publish an article. At the same time I postponed the publication of the article. The hope was that it would work similar to the AdwCleaner cases.

But Sofer Nir did not respond to my requests. Since I am in regular contact with German security researcher Stefan Kanthak, I explicitly asked him about this case at the end of March 2020. Here is the correspondence including the feedback from Stefan Kanthak:

> PS: Have you had contact with Sofer Nir from Nirsoft in the past?
> The Nirsoft tools are suffering from DLL hijacking by the bank
> Weaknesses. I’d sent him an email, but never
> Received an answer (even though he retrieved the mail). I am only
> I haven’t had a chance to write anything about it yet.
I sent him multiple mails about his STARTER ERRORS, but the guy is *** deaf and dumb: NO reaction!
So confirm my picture. I had lost focus on the article again until I was reminded by the comments on the German article Defender stufte fälschlich Winaero Tweaker als Hacker-Tool ein. I do have a hard time ‘to bash’ free tools. But if their creators refuse to dig with DLL hijacking, at least users of the tools should know what a shaky board they are on. So the information is out there now, so draw your conclusions.

For me that's a very sad news as i always like the Nirsoft tools but if the dev doesn't care about fixing that security problems, i avoid now these tools.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,122
I sent him multiple mails about his STARTER ERRORS, but the guy is *** deaf and dumb: NO reaction!
That plain rude and very unnecessary share tells me everything I need to know about this blogger. If he actually wants to behave like an adult and be seen serious, try avoid this kind of behaviour in the future.

Thanks anyway for the share.
 

blackice

Level 28
Verified
Apr 1, 2019
1,733
That plain rude and very unnecessary share tells me everything I need to know about this blogger. If he actually wants to behave like an adult and be seen serious, try avoid this kind of behaviour in the future.

Thanks anyway for the share.
We don’t know why the programmer isn’t responding. This guy is trying to get attention, even if he could be right.
 

SecurityNightmares

Level 31
Verified
Jan 9, 2020
2,055
That plain rude and very unnecessary share tells me everything I need to know about this blogger. If he actually wants to behave like an adult and be seen serious, try avoid this kind of behaviour in the future.

Thanks anyway for the share.
This quote wasn't from my linked link blogger.
This was from another guy who is in contact with the blogger which only make the post
 

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
Using NirSoft tools in the home environment is safe (except maybe in the Downloads folder). But, the vulnerable tool can be used to bypass SmartScreen or anti-exe solutions. SmartScreen (anti-exe) will check the legal EXE file, but not the malicious DLL.
The anti-exe solutions can be for example bypassed via an infected flash drive (usually shortcut malware). When the user will run the shortcut, the anti-exe will see only the legal NirSoft tool, and the user will let it run with malicious DLL.
 
Last edited:

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
Now I understand why NVTOSArmor has this option to block Nirsoft, though it doesn't seem enabled by default.

This would be ineffective. There are many (old) Microsoft binaries often used in DLL hijacking. I think that OSA blocks NirSoft tools mostly because they can be used to gather information about the computer and the user activities. These tools are very useful both for administrators and hackers.
 

boombastik

Level 2
Dec 17, 2018
86
First of al you need to know the folder that someone put these portable applications in the pc.
Second you need someone to put in that folder the malicious dll.

If i understand that correctly, it has near zero percentage to be targeted by someone. Ussualy they target applications that they installed in a preconfigured same folde, they cant targer portable applications that every user put them in a random PC folder.
It seems that all of his utilities is a simple executable so the only thing you need to do is when you unzip the executable to check if it has dll files in the same folder with the executable.
 

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
First of al you need to know the folder that someone put these portable applications in the pc.
Second you need someone to put in that folder the malicious dll.
...
All of the above can take place when you use the infected flash drive from your friend.;)
DLL hijacking is simply one of the secondary chains of the infection (but not the first).
 

SecurityNightmares

Level 31
Verified
Jan 9, 2020
2,055
As a matter of course Sofer Nir does not respond to anyone's emails.
That's some kind of ignorance then.

Exactly. The issue is over-hyped. It's the same that has been reported many times for different products. Many refused to fix it due to the almost zero probability that it would be exploited.

Media hype. Blogger hype.
It's not. As I already write, downloading the files are enough as most user don't delete files from download folder.
Also it doesn't exist one logically reason why the dev shouldn't fix it.
Looks like he doesn't care about security at all
 

boombastik

Level 2
Dec 17, 2018
86
All of the above can take place when you use the infected flash drive from your friend.;)
DLL hijacking is simply one of the secondary chains of the infection (but not the first).

So you say that someone may put a nirisoft application in a flash drive with a malicious dll and crate a auto-run malware to infect the PC?
In 2020 this is also a rare occasion but at least has a better opportunity than the zear nero DLL hijacking in folder.
 

SecurityNightmares

Level 31
Verified
Jan 9, 2020
2,055
Nir Sofer is a freeware developer and owes nobody a thing. People use his freewares at his expense, not their own.

If people want it fixed, then maybe they should make donations to Nir Sofer. Hmm ? How about that ? Or is he supposed to do everything free, at his own expense, because a few people are perturbed ?
That's fine of course but he can answer and/ or say that he need help or donation to implement better security. But instead just ignore feedback isn't good.

Microsoft Windows has the very same problem and Microsoft has refused to fix it. So according to your stated logic, Microsoft doesn't care about security at all.
Well that's wrong. You can manually install the fix
 

Andy Ful

Level 66
Verified
Trusted
Content Creator
Dec 23, 2014
5,598
So you say that someone may put a nirisoft application in a flash drive with a malicious dll and crate a auto-run malware to infect the PC?
In 2020 this is also a rare occasion but at least has a better opportunity than the zear nero DLL hijacking in folder.
Auto-run malware is rare nowadays, because of Windows settings introduced in Windows Vista SP2. There were dangerous autorun attacks based on icon shortcut exploits, but they were patched by Microsoft a few years ago. So, the infections via flash drives must assume that the user must manually run something. The DLL hijacking method is used mostly to hide the source of infection. The average user can be infected in a simpler way without DLL hijacking.
 
Top