Thursday, November 25, 2010

Summary of a "Remote binary planting talk" at DeepSec by Mitja Kosek by

Remote binary planting talk
This was given by Mitja Kolsek at DeepSec. Excellent overview of this vulnerability.

1998 - nsa windows nt security guidelines
2000 -georgi guninski : two office bugs
2001 - nimda uses dll spoofing for propagation
2006 - microsoft introduces safe search order
2008 - acros reports bp bugs to apple, google, microsoft, vmware

DLL search order
How about when LoadLibrary is called with a relative name?

1. Dir where app loaded
2. C:\Windows\System32
3. C:\Windows\System
4. C:\Windows
5. Current working directory (CWD)
6. System path; User path

Current working directory stands out. This is a dangerous location.
If permissions set correctly, first 4 locations malicious code can't be planted there.
But CWD can not only point to loc on local file system but also can point to remote share (e.g. on a server in China).

"Unsafe search order" before 2004, current working directory was in location #2.
Safe search order changed to put CWD in #5.

Causes for not finding DLLs in primary locations.
1. Programmer checks for local capabilities by trying to load a library
2. Some DLLs are present on OS1 but not OS2 (dwmapi.dll) - with visual studio
3. Custom/partial installs
4. Backward compatibility
5. Forward compatibility
6. Application written so that it finds its binaries in PATH.
7. OS porting (loading on Windows)
8. Wrong assumptions about installed components - media players assuming codecs are available on the system.
9. Incomplete uninstalls.
10. ....

3rd party components

3-step attack:

1. Plant a malicious DLL (eg remote windows share)
2. Somehow get vulnerable app on user's computer to set CWD to location of DLL
3. Wait

How to set working directory
1. Double clicking a file in explorer (in remote share) (automatically sets cwd of launched app to that location)
2. File open, File save dialogs
3. Some apps change CWD to last open/save
4. cmd.exe : cd command

8. Local priv escalation
9. Advanced binary planting attacks

Internal network attack... malicious.dll
Do your firewalls block SMB? Yes, but what about WEBDAV traffic?

\\hack.attacker.dom\Share --- sets up web server, enables WebDAV, sets up share on the server... Hi john checkout this document.

WebClient service.. on windows workstations. If SMB protocol doesnt reach that share, then WebClient is going to try WebDAV.

=> click twice on the webpage
Address Book

Double click VCF file \\\demo\web32res.dll
Process Monitor - SysInternals

Binary Planting - Goes "EXE"

Searching for non-absolute exe.
Looks in CWD as #2 in the search path.

Q: did you try doing anything similar in Linux with shared objects?

Inspected 200+ Windows applications
At least one exploitable binary planting issue in almost every one!

Tool for detecting binary planting.

ACROS binary planting detector (DLL planting: 400+, exe planting 120+)
~100 affected vendors at Secunia

Block outbound SMB, WebDAV traffic on corporate firewall.
- test your exposure to remote binary planting attacks



Be certain to bring a person's resources with sun-block treatments, shower your fake louis vuitton uk bikini. Bear in mind to use a person's eyewear next to. It's going to bright now there. At this moment you’re all of well-known to get a superb seashore fake louis vuitton uk family vacation. Go through the direct sunlight together with the crushed lime stone plus benefit from a stress-free time frame – Eyewear. Make your special offer bag plus pack by using hot tub offerings used only for the pup. Don’t fail to remember eye-catching nighty! What the heck is rolex replica sale her leisure activity? Invest in a class and also very own coaching. Sometimes when you’ll expose outside this Chanel may be visiting manufacture quite quite a few 100 % fake prada sale types of accessories, plus they even now give the common quilted travelling bag. The following bags is definitely stories fake louis vuitton uk around the style and design environment. Often, you should pay a visit to quite a few baggage save, and also high-end category retail price retail store to uncover the tailor-made manufactured purses and handbags plus luggage, also, you only as well commit your rather a red cent for your business just one single (ordinary amount a lot above 1).

Post a Comment