Share via

DLL hijacking possible with UWP applications?

StSg 1 Reputation point
2021-06-04T13:16:06.85+00:00

Hello all,

During the development of a UWP application (with Xamarin, which should be irrelevant here) we noticed that the application searches for certain assemblies in various places. You can see an example of this in the attached screenshot.

If someone notices this and puts an assembly in one of these places, this could be a security risk, couldn't it? Keyword dll hijacking.

But maybe it is only an abstract security risk, because theoretically there are very restrictive permissions below the WindowsApps folder by default.

A look at standard Microsoft UWP applications, such as Microsoft Store, also shows similar "problems".

Since I could hardly find any useful information on this topic, I would appreciate some feedback here. Even if it only helps to understand this behavior a bit better.
102506-2021-06-03-09h51-56.png

Developer technologies | Universal Windows Platform (UWP)
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Christopher Lee 111 Reputation points
    2021-06-04T15:45:18.033+00:00

    The Program Files directory is designed to only allow Administrators to write to its contents. If you have Administrator permissions, you are already on the other side of the airtight hatchway and can execute your payload directly without having to resort to file replacement trickery.

    That said, there are a few subtleties to this rule introduced by the Universal Windows Platform that I've observed:

    • Packages can declare the mutablePackageDirectories mutable package directory extension which defines a writable directory that can be changed by users. These are indicated in Store listings with the "Enable the user to modify the app." designation so you can make an informed installation decision.
    • Original Equipment Manufacturers (OEMs) can place a custom.data OEM info file in the microsoft.system.package.metadata subfolder of your application package. The manufacturer has considerable influence on the security of your device, so you will need to trust them.
    • JavaScript applications generate a cached bytecode JSByteCodeCache* file in the microsoft.system.package.metadata\Autogen subfolder of your application package, which I've observed can happen at runtime. Presumably this is not a folder that will be searched for DLL loading, and the file contents are unlikely to be executable.
    1 person found this answer helpful.
    0 comments
  2. Reza-Ameri 17,341 Reputation points Volunteer Moderator
    2021-06-14T14:57:54.477+00:00

    Technically they are restrictions for example you only have read permission and in order to exploit it you will need a write permission. There are several security mechanism in place to protect you against DLL hijacking , however in case you find any proof of concept and method to do it, report them to the MSRC:
    https://www.microsoft.com/en-us/msrc/faqs-report-an-issue
    However, in general case you won't be able to do this.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.