Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Remote Binary Planting
Mitja Kolsek
y gAn Overlooked Vulnerability Affair
Mitja KolsekACROS d.o.o.
Session ID: HT2-401Session Classification: Advanced
Insert presenter logo here on slide master. See hidden slide 2 for directions
Agendag
The VulnerabilityThe Vulnerability
The Attack
Our Research
What Can You Do?
2
The Vulnerability
3
Vulnerability Superstary p
1. Arbitrary Code Execution2. Easy to Find3. Easy to Exploit4 R li bl4. Reliable5. No Privileges 6 Remote6. Remote7. Works Through Firewalls
100,000,000,000
Misunderstood
Underestimated
Downplayed
Ignored
Forgotten
Quasi-Addressed
Still Ignored
Unfixed
The Life of Binary Plantingy g
1998 NSA: Windows NT Security Guidelines2000 Georgi Guninski: Two Office bugs2000 Georgi Guninski: Two Office bugs2001 Nimda uses “DLL spoofing” for propagation2004 Microsoft introduces “safe search order”2005 “DLL S fi i Wi d ” (l l k)2005 “DLL Spoofing in Windows” paper (local attack)2008 David LeBlanc: “DLL Preloading Attacks” article
2009-2010 ACROS reports BP bugs to many vendorsp g yApr 2010 Phone conference with Microsoft
Meanwhile... Microsoft preparing remedy520+ bugs in stock520+ bugs in stock
Aug 18, 2010 Apple fixes iTunes, Acros publishes ASPRSame day The cat gets “out of the bug”
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
IQ Test: Find the MisfitQ
1 2 3 4 5
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
World-Wide DLL
DLL
you
b d bad guy
It Was Even Worse Before 2004
“UNSAFE” Search Order
1. The directory from which the application loaded2. Current Working Directory (CWD)3. C:\Windows\System32y4. C:\Windows\System5. C:\Windows6 PATH6. PATH
“Safe” DLL Search Order
Safe? Really?
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
Causes For Not Finding DLLs inPrimary Locationsy
Programmer checks for local capabilities by trying to load a libraryySome DLLs are present on OS1 but not on OS2 (dwmapi.dll)Custom/partial installsCustom/partial installsBackward compatibilityForward compatibilityApplication written so that it finds its binaries in PATHO/S Porting (loading “linuxlib.so.1” on Windows)Assumptions about installed componentsAssumptions about installed componentsIncomplete uninstalls...
Malicious DLL
DllMain() function – almost always works!DllMain() function almost always works!Modify original DLLCreate a look-alike DLLCreate a look alike DLL
The Attack
23
3-Step Attack Scenariop
1 Plant a malicious DLL
2 Set CWD to location of the DLL
3 Wait
Setting The Current Working Directoryg g y
1. Double-clicking a file in Explorer2. File Open, File Save dialogs3. Last open/save location4. cmd.exe: cd command5. File explorers6 C t P Sh llE t6. CreateProcess, ShellExecute7. New process inherits parent’s CWD8 Shortcuts8. Shortcuts9. ...
Internal Network Attack
Local Goes Remote
Internet Attack - WebDAV “Magic”
Attack Vectors
1. Clicking on a link in browserg2. Clicking on a link in e-mail3. Clicking on a link in IM message4. Planting a DLL on a file server5. Document and DLL in a ZIP archive6. Document and DLL on a USB stick7. Document and DLL on CD/DVD8 L l i il l ti8. Local privilege escalation9. Advanced binary planting attacks
Binary PlantingDemo
30
Binary Planting Goes “EXE”
Searching for Non-Absolute EXEsg
CreateProcess(“SomeApp.exe”)
1. The directory from which the application loaded2. Current Working Directory (CWD)3. C:\Windows\System32y4. C:\Windows\System5. C:\Windows6 PATH6. PATH
Searching for Non-Absolute EXEsg
ShellExecute(“SomeApp.exe”)
The directory from which the application loadedCurrent Working Directory (CWD)C:\Windows\System32yC:\Windows\SystemC:\WindowsPATHPATH
Searching for Non-Absolute EXEsg
_spawn*p* and _exec*p*
The directory from which the application loaded1. Current Working Directory (CWD)2. C:\Windows\System32y
C:\Windows\System3. C:\Windows4 PATH4. PATH
Our Research
Insert presenter logo here on slide master. See hidden slide 2 for directions36
Research Summaryy
Inspected 200+ Windows applicationsAt least one exploitable Binary Planting issueAt least one exploitable Binary Planting issuein almost every one!(And we barely scratched the surface)
Recorded 520+ Binary Planting issuesTool for detecting Binary Planting vulnerabilitiesvulnerabilities
GUI, monitoring processesAutomated exploitationpAbility to directly debug vulnerable code
Binary Planting Detector
Score – DLL and EXE Plantingsg
120120+
400+
How Many Bugs?!?y g
100 000 000 000XP ~1340m, Vista ~400m, Windows 7 ~150m, ...11 000 ti th b f bi l i B iji
100,000,000,00011.000 times the number of bicycles in Beijing100s on every Windows computer10 000s of ways to break into any bank10,000s of ways to break into any bank... or competitor’s network
or government agency... or government agency... or national infrastructure
Affected Vendors
MicrosoftAppleAppleGoogleVMware
IBMSiemensMo illa
... 100+ at Secunia
100+ from our researchMozillaAdobeAvast
... 100+ from our research
AutodeskSophos
PGP...
What Can You Do?
42
APPLY!Recommendations for Developersp
Use absolute paths to libraries and executablesD ’t k “l t’ if it’ th ” L dLib * llDon’t make “let’s see if it’s there” LoadLibrary* callsDon’t plan on finding your DLL/EXE in CWD or PATHSet CWD to a safe location at startupSet CWD to a safe location at startupUse SetDllDirectory(“”) at startupDon’t use SearchPath function for locating DLLsCheck your product with Process Monitor or another toolTest with CWDIllegalInDllSearch hotfix set to "max". Do this for all modules of your product!Do this for all modules of your product!
http://www.binaryplanting.com/guidelinesDevelopers.htm
APPLY!Recommendations for Administrators
Install Microsoft’s Hotfix, remember to configure itDi bl “W b Cli t” iDisable “Web Client” serviceWindows Software Restriction Policy,Windows AppLocker (enable DLL)Personal firewall with process and connection blockingBlock outbound SMB on corporate firewallBl k tb d W bDAV t fi llBlock outbound WebDAV on corporate firewallLimit internal SMB, WebDAV trafficRestrict write access on file repositoriesest ct w te access o le epos to esto prevent planting
http://www.binaryplanting.com/guidelinesAdministrators.htm
APPLY!Recommendations for Users
Be careful when using USB sticks, CDs, DVDsfrom unknown sourcesfrom unknown sourcesThink before double-clicking on anythingpresented to youIf in doubt, transfer the data file (alone)to local drive and open itAlert your administrators about binary plantingAlert your administrators about binary planting
Resources
www.binaryplanting.comblog.acrossecurity.com
http://support.microsoft.com/kb/2264107http://support.microsoft.com/kb/2264107http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
http://blog.metasploit.com/2010/08/better-faster-stronger.htmlhttp://securityxploded.com/dllhijackauditor.phpp y p j p p
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
http://secunia.com/advisories/windows_insecure_library_loading/p _ _ y_ g
Google “binary planting”, “dll hijacking”, “dll preloading”
Public Binary Planting Toolsy g
DLLHijackAuditKit
www binaryplanting com/test htmwww.binaryplanting.com/test.htm
Mitja Kolsek
ACROS d.o.o.ACROS d.o.o.www.acrossecurity.com
BP-Positive vs. CWD-Addicted