Advanced (persistent) binary planting
0 likes1,218 views
This document discusses binary planting techniques such as DLL hijacking. It provides examples of binary planting issues found in Real Player and Opera on Windows XP, where they load unexpected DLLs and EXEs during execution. It warns that downloading files can leave computers vulnerable if installers load DLLs from the Downloads folder, allowing for "persistent mines" to be planted months later when applications are launched. It provides guidelines for researchers and developers to prevent binary planting issues in their own software.
Advanced (persistent) binary planting
- 1. ACROS PUBLIC © ACROS Advanced (Persistent) Binary Planting SOURCE Barcelona 2011 Mitja Kolsek ACROS d.o.o. [email protected] www.acrossecurity.com
- 2. ACROS PUBLIC Page 2 SOURCE Barcelona 2011 BINARY PLANTING QUICK SUMMARY (DLL hijacking, DLL preloading, Unsafe library loading...)
- 3. ACROS PUBLIC Page 3 SOURCE Barcelona 2011 DLL, EXE you bad guy
- 4. ACROS PUBLIC Page 4 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
- 5. ACROS PUBLIC Page 5 SOURCE Barcelona 2011 EXE Search Order CreateProcess(“SomeApp.exe”) 1. The directory from which the application loaded 2. Current Working Directory (CWD) 3. C:WindowsSystem32 4. C:WindowsSystem 5. C:Windows 6. PATH
- 6. ACROS PUBLIC Page 6 SOURCE Barcelona 2011 EXE Search Order ShellExecute(“SomeApp.exe”) 1. Current Working Directory (CWD) 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. PATH
- 7. ACROS PUBLIC Page 7 SOURCE Barcelona 2011 Our Past Research • Extended scope: Launching EXEs • Improved attack vector: WebDAV • We looked at 200+ leading Windows apps • Found 500+ binary planting bugs (120+ EXE, 400+ DLL) • Guidelines for developers http://www.binaryplanting.com/guidelinesDevelopers.htm • Guidelines for administrators http://www.binaryplanting.com/guidelinesAdministrators.htm • Free Online Binary Planting Exposure Test http://www.binaryplanting.com/test.htm • Advanced binary planting (COM-Servers) • Executing code through IE8 on Windows XP – two clicks only • Executing code through IE9 on Windows 7 – right click, add to archive
- 8. ACROS PUBLIC Page 8 SOURCE Barcelona 2011
- 9. ACROS PUBLIC Page 9 SOURCE Barcelona 2011 PERSISTENCE #1 - PERSISTENCE IN SOFTWARE #2 – PERSISTENCE ON COMPUTER
- 10. ACROS PUBLIC Page 10 SOURCE Barcelona 2011 #1 - PERSISTENCE IN SOFTWARE (Everywhere You Look)
- 11. ACROS PUBLIC Page 11 SOURCE Barcelona 2011 Microsoft (Sysinternals) Process Monitor 1. Filter: Path Contains <our-path> 2. Launch Application 3. Exclude irrelevant entries 4. Look for DLL and EXE accesses 5. Plant DLL/EXE 6. Re-launch Application 7. If successful, see call stack
- 12. ACROS PUBLIC Page 12 SOURCE Barcelona 2011 Example: Real Player I used to load rio500.dll from CWD. Wait... I still do. Publicly reported in February 2010 by Taeho Kwon and Zhendong Su http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
- 13. ACROS PUBLIC Page 13 SOURCE Barcelona 2011
- 14. ACROS PUBLIC Page 14 SOURCE Barcelona 2011 False Positives
- 15. ACROS PUBLIC Page 15 SOURCE Barcelona 2011
- 16. ACROS PUBLIC Page 16 SOURCE Barcelona 2011 Hidden & Remote
- 17. ACROS PUBLIC Page 17 SOURCE Barcelona 2011
- 18. ACROS PUBLIC Page 18 SOURCE Barcelona 2011 Cleaning The Table
- 19. ACROS PUBLIC Page 19 SOURCE Barcelona 2011
- 20. ACROS PUBLIC Page 20 SOURCE Barcelona 2011 Real Player on Windows XP (mpeg)
- 21. ACROS PUBLIC Page 21 SOURCE Barcelona 2011 Real Player on Windows XP (avi)
- 22. ACROS PUBLIC Page 22 SOURCE Barcelona 2011 Example: Opera I fixed a DLL hijacking bug but what the heck is this “EXE planting”? Windows XP: dwmapi.dll (fixed in 10.62)
- 23. ACROS PUBLIC Page 23 SOURCE Barcelona 2011
- 24. ACROS PUBLIC Page 24 SOURCE Barcelona 2011 Binary Planting Issues Found Real Player • WinXP: RealPlay.exe loading planted rapi.dll upon startup • Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup • RealPlay.exe loading planted rio500.dll upon exit • RealPlay.exe loading planted rio300.dll upon exit • RealShare.exe loading planted pnrs3260.dll upon startup Opera • WinXP: Opera.exe loading planted rundll32.exe upon opening a downloaded ZIP
- 25. ACROS PUBLIC Page 25 SOURCE Barcelona 2011 #2 - PERSISTENCE ON COMPUTER (Turning Downloads Folder Into a Minefield)
- 26. ACROS PUBLIC Page 26 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
- 27. ACROS PUBLIC Page 27 SOURCE Barcelona 2011
- 28. ACROS PUBLIC Page 28 SOURCE Barcelona 2011 Planting a “Persistent Mine” (cryptbase.dll)
- 29. ACROS PUBLIC Page 29 SOURCE Barcelona 2011
- 30. ACROS PUBLIC Page 30 SOURCE Barcelona 2011 Planting a “Persistent Mine” (msiexec.exe)
- 31. ACROS PUBLIC Page 31 SOURCE Barcelona 2011
- 32. ACROS PUBLIC Page 32 SOURCE Barcelona 2011 Downloads folder “mine field” problem Why is it cool? Persistent – “download today, exploit months later” Installers usually get elevated privileges Whose fault is it? Installers loading DLLs from their neighborhood is expected behavior Browsers keep downloads on disk until manually deleted Chrome download dialog is clickjackable Chrome trusts EXE files from already visited sites InstallShield calls “msiexec.exe” without full path How could it be fixed? All downloaded executables should have modified names: Cryptbase(0).dll, msiexec(0).exe
- 33. ACROS PUBLIC Page 33 SOURCE Barcelona 2011 Binary Planting: Guidelines For Researchers Stay current Make sure you’re working with the latest version of the product Make sure your O/S is up to date Try different O/S versions Different DLLs, different drivers, codecs etc. Try different data files Different formats (file extensions), different content Try it from remote ShellExecute will issue a security warning when launching from a share Locate the culprit Check the call stack to find which module is responsible for the bug, then check the module’s details to find the author
- 34. ACROS PUBLIC Page 34 SOURCE Barcelona 2011 Binary Planting: Guidelines For Developers Use only absolute paths LoadLibrary(“relative.dll”) - FAIL CreateProcess(“notepad.exe”) – FAIL ShellExecute(“cmd.exe”) - FAIL CWD use Set CWD to a safe location, quickly Call SetDllDirectory(“”) Observe file system operations on all supported O/S versions Different DLLs, different drivers, codecs etc. Maximize code coverage Different formats (file extensions), different content
- 35. ACROS PUBLIC Page 35 SOURCE Barcelona 2011 Resources Tools Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645 Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028 Files “Malicious” DLL www.binaryplanting.com/demo/windows_address_book/wab32res.dll www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll “Malicious” EXE: C:WindowsSystem32calc.exe (what else?) Knowledge www.binaryplanting.com blog.acrossecurity.com
- 36. ACROS PUBLIC Page 36 SOURCE Barcelona 2011 Pregunt(e|a)s Mitja Kolsek ACROS d.o.o. www.acrossecurity.com [email protected] Twitter: @acrossecurity