Remote binary planting talk
This was given by Mitja Kolsek at DeepSec. Excellent overview of this vulnerability.
1998 - nsa windows nt security guidelines
2000 -georgi guninski : two office bugs
2001 - nimda uses dll spoofing for propagation
2006 - microsoft introduces safe search order
2008 - acros reports bp bugs to apple, google, microsoft, vmware
DLL search order
How about when LoadLibrary is called with a relative name?
1. Dir where app loaded
5. Current working directory (CWD)
6. System path; User path
Current working directory stands out. This is a dangerous location.
If permissions set correctly, first 4 locations malicious code can't be planted there.
But CWD can not only point to loc on local file system but also can point to remote share (e.g. on a server in China).
"Unsafe search order" before 2004, current working directory was in location #2.
Safe search order changed to put CWD in #5.
Causes for not finding DLLs in primary locations.
1. Programmer checks for local capabilities by trying to load a library
2. Some DLLs are present on OS1 but not OS2 (dwmapi.dll) - with visual studio
3. Custom/partial installs
4. Backward compatibility
5. Forward compatibility
6. Application written so that it finds its binaries in PATH.
7. OS porting (loading linuxlib.so.1. on Windows)
8. Wrong assumptions about installed components - media players assuming codecs are available on the system.
9. Incomplete uninstalls.
3rd party components
1. Plant a malicious DLL (eg remote windows share)
2. Somehow get vulnerable app on user's computer to set CWD to location of DLL
How to set working directory
1. Double clicking a file in explorer (in remote share) (automatically sets cwd of launched app to that location)
2. File open, File save dialogs
3. Some apps change CWD to last open/save
4. cmd.exe : cd command
8. Local priv escalation
9. Advanced binary planting attacks
Internal network attack... malicious.dll
Do your firewalls block SMB? Yes, but what about WEBDAV traffic?
\\hack.attacker.dom\Share --- sets up web server, enables WebDAV, sets up share on the server... Hi john checkout this document.
WebClient service.. on windows workstations. If SMB protocol doesnt reach that share, then WebClient is going to try WebDAV.
=> click twice on the webpage
Double click VCF file \\192.168.0.133\demo\web32res.dll
Process Monitor - SysInternals
Binary Planting - Goes "EXE"
Searching for non-absolute exe.
Looks in CWD as #2 in the search path.
Q: did you try doing anything similar in Linux with shared objects?
Inspected 200+ Windows applications
At least one exploitable binary planting issue in almost every one!
Tool for detecting binary planting.
ACROS binary planting detector (DLL planting: 400+, exe planting 120+)
~100 affected vendors at Secunia
Block outbound SMB, WebDAV traffic on corporate firewall.
- test your exposure to remote binary planting attacks
Thursday, November 25, 2010