Remote Binary Planting

Mitja Kolsek

y gAn Overlooked Vulnerability Affair

Mitja KolsekACROS d.o.o.

Session ID: HT2-401Session Classification: Advanced

Insert presenter logo here on slide master. See hidden slide 2 for directions

Agendag

The VulnerabilityThe Vulnerability

The Attack

Our Research

What Can You Do?

2

The Vulnerability

3

Vulnerability Superstary p

1. Arbitrary Code Execution2. Easy to Find3. Easy to Exploit4 R li bl4. Reliable5. No Privileges 6 Remote6. Remote7. Works Through Firewalls

100,000,000,000

Misunderstood

Underestimated

Downplayed

Ignored

Forgotten

Quasi-Addressed

Still Ignored

Unfixed

The Life of Binary Plantingy g

1998 NSA: Windows NT Security Guidelines2000 Georgi Guninski: Two Office bugs2000 Georgi Guninski: Two Office bugs2001 Nimda uses “DLL spoofing” for propagation2004 Microsoft introduces “safe search order”2005 “DLL S fi i Wi d ” (l l k)2005 “DLL Spoofing in Windows” paper (local attack)2008 David LeBlanc: “DLL Preloading Attacks” article

2009-2010 ACROS reports BP bugs to many vendorsp g yApr 2010 Phone conference with Microsoft

Meanwhile... Microsoft preparing remedy520+ bugs in stock520+ bugs in stock

Aug 18, 2010 Apple fixes iTunes, Acros publishes ASPRSame day The cat gets “out of the bug”

DLL Search Order

LoadLibrary(“SomeLib.dll”)

1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH

IQ Test: Find the MisfitQ

1 2 3 4 5

DLL Search Order

LoadLibrary(“SomeLib.dll”)

1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH

World-Wide DLL

DLL

you

b d bad guy

It Was Even Worse Before 2004

“UNSAFE” Search Order

1. The directory from which the application loaded2. Current Working Directory (CWD)3. C:\Windows\System32y4. C:\Windows\System5. C:\Windows6 PATH6. PATH

“Safe” DLL Search Order

Safe? Really?

1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH

Causes For Not Finding DLLs inPrimary Locationsy

Programmer checks for local capabilities by trying to load a libraryySome DLLs are present on OS1 but not on OS2 (dwmapi.dll)Custom/partial installsCustom/partial installsBackward compatibilityForward compatibilityApplication written so that it finds its binaries in PATHO/S Porting (loading “linuxlib.so.1” on Windows)Assumptions about installed componentsAssumptions about installed componentsIncomplete uninstalls...

Malicious DLL

DllMain() function – almost always works!DllMain() function almost always works!Modify original DLLCreate a look-alike DLLCreate a look alike DLL

The Attack

23

3-Step Attack Scenariop

1 Plant a malicious DLL

2 Set CWD to location of the DLL

3 Wait

Setting The Current Working Directoryg g y

1. Double-clicking a file in Explorer2. File Open, File Save dialogs3. Last open/save location4. cmd.exe: cd command5. File explorers6 C t P Sh llE t6. CreateProcess, ShellExecute7. New process inherits parent’s CWD8 Shortcuts8. Shortcuts9. ...

Internal Network Attack

Local Goes Remote

Internet Attack - WebDAV “Magic”

Attack Vectors

1. Clicking on a link in browserg2. Clicking on a link in e-mail3. Clicking on a link in IM message4. Planting a DLL on a file server5. Document and DLL in a ZIP archive6. Document and DLL on a USB stick7. Document and DLL on CD/DVD8 L l i il l ti8. Local privilege escalation9. Advanced binary planting attacks

Binary PlantingDemo

30

Binary Planting Goes “EXE”

Searching for Non-Absolute EXEsg

CreateProcess(“SomeApp.exe”)

1. The directory from which the application loaded2. Current Working Directory (CWD)3. C:\Windows\System32y4. C:\Windows\System5. C:\Windows6 PATH6. PATH

Searching for Non-Absolute EXEsg

ShellExecute(“SomeApp.exe”)

The directory from which the application loadedCurrent Working Directory (CWD)C:\Windows\System32yC:\Windows\SystemC:\WindowsPATHPATH

Searching for Non-Absolute EXEsg

_spawn*p* and _exec*p*

The directory from which the application loaded1. Current Working Directory (CWD)2. C:\Windows\System32y

C:\Windows\System3. C:\Windows4 PATH4. PATH

Our Research

Insert presenter logo here on slide master. See hidden slide 2 for directions36

Research Summaryy

Inspected 200+ Windows applicationsAt least one exploitable Binary Planting issueAt least one exploitable Binary Planting issuein almost every one!(And we barely scratched the surface)

Recorded 520+ Binary Planting issuesTool for detecting Binary Planting vulnerabilitiesvulnerabilities

GUI, monitoring processesAutomated exploitationpAbility to directly debug vulnerable code

Binary Planting Detector

Score – DLL and EXE Plantingsg

120120+

400+

How Many Bugs?!?y g

100 000 000 000XP ~1340m, Vista ~400m, Windows 7 ~150m, ...11 000 ti th b f bi l i B iji

100,000,000,00011.000 times the number of bicycles in Beijing100s on every Windows computer10 000s of ways to break into any bank10,000s of ways to break into any bank... or competitor’s network

or government agency... or government agency... or national infrastructure

Affected Vendors

MicrosoftAppleAppleGoogleVMware

IBMSiemensMo illa

... 100+ at Secunia

100+ from our researchMozillaAdobeAvast

... 100+ from our research

AutodeskSophos

PGP...

What Can You Do?

42

APPLY!Recommendations for Developersp

Use absolute paths to libraries and executablesD ’t k “l t’ if it’ th ” L dLib * llDon’t make “let’s see if it’s there” LoadLibrary* callsDon’t plan on finding your DLL/EXE in CWD or PATHSet CWD to a safe location at startupSet CWD to a safe location at startupUse SetDllDirectory(“”) at startupDon’t use SearchPath function for locating DLLsCheck your product with Process Monitor or another toolTest with CWDIllegalInDllSearch hotfix set to "max". Do this for all modules of your product!Do this for all modules of your product!

http://www.binaryplanting.com/guidelinesDevelopers.htm

APPLY!Recommendations for Administrators

Install Microsoft’s Hotfix, remember to configure itDi bl “W b Cli t” iDisable “Web Client” serviceWindows Software Restriction Policy,Windows AppLocker (enable DLL)Personal firewall with process and connection blockingBlock outbound SMB on corporate firewallBl k tb d W bDAV t fi llBlock outbound WebDAV on corporate firewallLimit internal SMB, WebDAV trafficRestrict write access on file repositoriesest ct w te access o le epos to esto prevent planting

http://www.binaryplanting.com/guidelinesAdministrators.htm

APPLY!Recommendations for Users

Be careful when using USB sticks, CDs, DVDsfrom unknown sourcesfrom unknown sourcesThink before double-clicking on anythingpresented to youIf in doubt, transfer the data file (alone)to local drive and open itAlert your administrators about binary plantingAlert your administrators about binary planting

Resources

www.binaryplanting.comblog.acrossecurity.com

http://support.microsoft.com/kb/2264107http://support.microsoft.com/kb/2264107http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.metasploit.com/2010/08/better-faster-stronger.htmlhttp://securityxploded.com/dllhijackauditor.phpp y p j p p

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

http://secunia.com/advisories/windows_insecure_library_loading/p _ _ y_ g

Google “binary planting”, “dll hijacking”, “dll preloading”

Public Binary Planting Toolsy g

DLLHijackAuditKit

www binaryplanting com/test htmwww.binaryplanting.com/test.htm

Mitja Kolsek

ACROS d.o.o.ACROS d.o.o.www.acrossecurity.com

mitja.kolsek@acrossecurity.com

BP-Positive vs. CWD-Addicted