Remote Binary Planting yg - ACROS Security
Transcript of Remote Binary Planting yg - ACROS Security
![Page 1: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/1.jpg)
Remote Binary Planting
Mitja Kolsek
y gAn Overlooked Vulnerability Affair
Mitja KolsekACROS d.o.o.
Session ID: HT2-401Session Classification: Advanced
Insert presenter logo here on slide master. See hidden slide 2 for directions
![Page 2: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/2.jpg)
Agendag
The VulnerabilityThe Vulnerability
The Attack
Our Research
What Can You Do?
2
![Page 3: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/3.jpg)
The Vulnerability
3
![Page 4: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/4.jpg)
Vulnerability Superstary p
1. Arbitrary Code Execution2. Easy to Find3. Easy to Exploit4 R li bl4. Reliable5. No Privileges 6 Remote6. Remote7. Works Through Firewalls
100,000,000,000
![Page 5: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/5.jpg)
Misunderstood
![Page 6: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/6.jpg)
Underestimated
![Page 7: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/7.jpg)
Downplayed
![Page 8: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/8.jpg)
Ignored
![Page 9: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/9.jpg)
Forgotten
![Page 10: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/10.jpg)
Quasi-Addressed
![Page 11: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/11.jpg)
Still Ignored
![Page 12: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/12.jpg)
Unfixed
![Page 13: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/13.jpg)
The Life of Binary Plantingy g
1998 NSA: Windows NT Security Guidelines2000 Georgi Guninski: Two Office bugs2000 Georgi Guninski: Two Office bugs2001 Nimda uses “DLL spoofing” for propagation2004 Microsoft introduces “safe search order”2005 “DLL S fi i Wi d ” (l l k)2005 “DLL Spoofing in Windows” paper (local attack)2008 David LeBlanc: “DLL Preloading Attacks” article
2009-2010 ACROS reports BP bugs to many vendorsp g yApr 2010 Phone conference with Microsoft
Meanwhile... Microsoft preparing remedy520+ bugs in stock520+ bugs in stock
Aug 18, 2010 Apple fixes iTunes, Acros publishes ASPRSame day The cat gets “out of the bug”
![Page 14: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/14.jpg)
![Page 15: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/15.jpg)
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
![Page 16: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/16.jpg)
IQ Test: Find the MisfitQ
1 2 3 4 5
![Page 17: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/17.jpg)
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
![Page 18: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/18.jpg)
World-Wide DLL
DLL
you
b d bad guy
![Page 19: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/19.jpg)
It Was Even Worse Before 2004
“UNSAFE” Search Order
1. The directory from which the application loaded2. Current Working Directory (CWD)3. C:\Windows\System32y4. C:\Windows\System5. C:\Windows6 PATH6. PATH
![Page 20: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/20.jpg)
“Safe” DLL Search Order
Safe? Really?
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
![Page 21: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/21.jpg)
Causes For Not Finding DLLs inPrimary Locationsy
Programmer checks for local capabilities by trying to load a libraryySome DLLs are present on OS1 but not on OS2 (dwmapi.dll)Custom/partial installsCustom/partial installsBackward compatibilityForward compatibilityApplication written so that it finds its binaries in PATHO/S Porting (loading “linuxlib.so.1” on Windows)Assumptions about installed componentsAssumptions about installed componentsIncomplete uninstalls...
![Page 22: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/22.jpg)
Malicious DLL
DllMain() function – almost always works!DllMain() function almost always works!Modify original DLLCreate a look-alike DLLCreate a look alike DLL
![Page 23: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/23.jpg)
The Attack
23
![Page 24: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/24.jpg)
3-Step Attack Scenariop
1 Plant a malicious DLL
2 Set CWD to location of the DLL
3 Wait
![Page 25: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/25.jpg)
Setting The Current Working Directoryg g y
1. Double-clicking a file in Explorer2. File Open, File Save dialogs3. Last open/save location4. cmd.exe: cd command5. File explorers6 C t P Sh llE t6. CreateProcess, ShellExecute7. New process inherits parent’s CWD8 Shortcuts8. Shortcuts9. ...
![Page 26: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/26.jpg)
Internal Network Attack
![Page 27: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/27.jpg)
Local Goes Remote
![Page 28: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/28.jpg)
Internet Attack - WebDAV “Magic”
![Page 29: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/29.jpg)
Attack Vectors
1. Clicking on a link in browserg2. Clicking on a link in e-mail3. Clicking on a link in IM message4. Planting a DLL on a file server5. Document and DLL in a ZIP archive6. Document and DLL on a USB stick7. Document and DLL on CD/DVD8 L l i il l ti8. Local privilege escalation9. Advanced binary planting attacks
![Page 30: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/30.jpg)
Binary PlantingDemo
30
![Page 31: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/31.jpg)
![Page 32: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/32.jpg)
Binary Planting Goes “EXE”
![Page 33: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/33.jpg)
Searching for Non-Absolute EXEsg
CreateProcess(“SomeApp.exe”)
1. The directory from which the application loaded2. Current Working Directory (CWD)3. C:\Windows\System32y4. C:\Windows\System5. C:\Windows6 PATH6. PATH
![Page 34: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/34.jpg)
Searching for Non-Absolute EXEsg
ShellExecute(“SomeApp.exe”)
The directory from which the application loadedCurrent Working Directory (CWD)C:\Windows\System32yC:\Windows\SystemC:\WindowsPATHPATH
![Page 35: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/35.jpg)
Searching for Non-Absolute EXEsg
_spawn*p* and _exec*p*
The directory from which the application loaded1. Current Working Directory (CWD)2. C:\Windows\System32y
C:\Windows\System3. C:\Windows4 PATH4. PATH
![Page 36: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/36.jpg)
Our Research
Insert presenter logo here on slide master. See hidden slide 2 for directions36
![Page 37: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/37.jpg)
Research Summaryy
Inspected 200+ Windows applicationsAt least one exploitable Binary Planting issueAt least one exploitable Binary Planting issuein almost every one!(And we barely scratched the surface)
Recorded 520+ Binary Planting issuesTool for detecting Binary Planting vulnerabilitiesvulnerabilities
GUI, monitoring processesAutomated exploitationpAbility to directly debug vulnerable code
![Page 38: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/38.jpg)
Binary Planting Detector
![Page 39: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/39.jpg)
Score – DLL and EXE Plantingsg
120120+
400+
![Page 40: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/40.jpg)
How Many Bugs?!?y g
100 000 000 000XP ~1340m, Vista ~400m, Windows 7 ~150m, ...11 000 ti th b f bi l i B iji
100,000,000,00011.000 times the number of bicycles in Beijing100s on every Windows computer10 000s of ways to break into any bank10,000s of ways to break into any bank... or competitor’s network
or government agency... or government agency... or national infrastructure
![Page 41: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/41.jpg)
Affected Vendors
MicrosoftAppleAppleGoogleVMware
IBMSiemensMo illa
... 100+ at Secunia
100+ from our researchMozillaAdobeAvast
... 100+ from our research
AutodeskSophos
PGP...
![Page 42: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/42.jpg)
What Can You Do?
42
![Page 43: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/43.jpg)
APPLY!Recommendations for Developersp
Use absolute paths to libraries and executablesD ’t k “l t’ if it’ th ” L dLib * llDon’t make “let’s see if it’s there” LoadLibrary* callsDon’t plan on finding your DLL/EXE in CWD or PATHSet CWD to a safe location at startupSet CWD to a safe location at startupUse SetDllDirectory(“”) at startupDon’t use SearchPath function for locating DLLsCheck your product with Process Monitor or another toolTest with CWDIllegalInDllSearch hotfix set to "max". Do this for all modules of your product!Do this for all modules of your product!
http://www.binaryplanting.com/guidelinesDevelopers.htm
![Page 44: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/44.jpg)
APPLY!Recommendations for Administrators
Install Microsoft’s Hotfix, remember to configure itDi bl “W b Cli t” iDisable “Web Client” serviceWindows Software Restriction Policy,Windows AppLocker (enable DLL)Personal firewall with process and connection blockingBlock outbound SMB on corporate firewallBl k tb d W bDAV t fi llBlock outbound WebDAV on corporate firewallLimit internal SMB, WebDAV trafficRestrict write access on file repositoriesest ct w te access o le epos to esto prevent planting
http://www.binaryplanting.com/guidelinesAdministrators.htm
![Page 45: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/45.jpg)
APPLY!Recommendations for Users
Be careful when using USB sticks, CDs, DVDsfrom unknown sourcesfrom unknown sourcesThink before double-clicking on anythingpresented to youIf in doubt, transfer the data file (alone)to local drive and open itAlert your administrators about binary plantingAlert your administrators about binary planting
![Page 46: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/46.jpg)
Resources
www.binaryplanting.comblog.acrossecurity.com
http://support.microsoft.com/kb/2264107http://support.microsoft.com/kb/2264107http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
http://blog.metasploit.com/2010/08/better-faster-stronger.htmlhttp://securityxploded.com/dllhijackauditor.phpp y p j p p
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
http://secunia.com/advisories/windows_insecure_library_loading/p _ _ y_ g
Google “binary planting”, “dll hijacking”, “dll preloading”
![Page 47: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/47.jpg)
Public Binary Planting Toolsy g
DLLHijackAuditKit
![Page 48: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/48.jpg)
www binaryplanting com/test htmwww.binaryplanting.com/test.htm
Mitja Kolsek
ACROS d.o.o.ACROS d.o.o.www.acrossecurity.com
![Page 49: Remote Binary Planting yg - ACROS Security](https://reader030.fdocuments.in/reader030/viewer/2022012801/61bd091961276e740b0eb1a7/html5/thumbnails/49.jpg)
BP-Positive vs. CWD-Addicted