Your SlideShare is downloading. ×
0
ACROS PUBLIC                                    © ACROS               Advanced (Persistent)               Binary Planting ...
ACROS PUBLIC                Page 2               SOURCE Barcelona 2011                   BINARY PLANTING                  ...
ACROS PUBLIC     Page 3              SOURCE Barcelona 2011                          DLL, EXE           you                ...
ACROS PUBLIC                             Page 4                       SOURCE Barcelona 2011                               ...
ACROS PUBLIC                             Page 5                       SOURCE Barcelona 2011                               ...
ACROS PUBLIC                            Page 6                 SOURCE Barcelona 2011                                      ...
ACROS PUBLIC                                  Page 7                             SOURCE Barcelona 2011                    ...
ACROS PUBLIC   Page 8   SOURCE Barcelona 2011
ACROS PUBLIC               Page 9              SOURCE Barcelona 2011                      PERSISTENCE                #1 - ...
ACROS PUBLIC               Page 10       SOURCE Barcelona 2011               #1 - PERSISTENCE IN SOFTWARE                 ...
ACROS PUBLIC                       Page 11                   SOURCE Barcelona 2011                             Microsoft (...
ACROS PUBLIC                            Page 12                   SOURCE Barcelona 2011                                   ...
ACROS PUBLIC   Page 13   SOURCE Barcelona 2011
ACROS PUBLIC        Page 14      SOURCE Barcelona 2011               False Positives
ACROS PUBLIC   Page 15   SOURCE Barcelona 2011
ACROS PUBLIC         Page 16     SOURCE Barcelona 2011               Hidden & Remote
ACROS PUBLIC   Page 17   SOURCE Barcelona 2011
ACROS PUBLIC          Page 18       SOURCE Barcelona 2011               Cleaning The Table
ACROS PUBLIC   Page 19   SOURCE Barcelona 2011
ACROS PUBLIC    Page 20                 SOURCE Barcelona 2011               Real Player on Windows XP (mpeg)
ACROS PUBLIC   Page 21                    SOURCE Barcelona 2011                  Real Player on Windows XP (avi)
ACROS PUBLIC                          Page 22            SOURCE Barcelona 2011                                            ...
ACROS PUBLIC   Page 23   SOURCE Barcelona 2011
ACROS PUBLIC                                  Page 24                             SOURCE Barcelona 2011                   ...
ACROS PUBLIC           Page 25       SOURCE Barcelona 2011           #2 - PERSISTENCE ON COMPUTER              (Turning Do...
ACROS PUBLIC                             Page 26                      SOURCE Barcelona 2011                               ...
ACROS PUBLIC   Page 27   SOURCE Barcelona 2011
ACROS PUBLIC               Page 28            SOURCE Barcelona 2011               Planting a “Persistent Mine”            ...
ACROS PUBLIC   Page 29   SOURCE Barcelona 2011
ACROS PUBLIC               Page 30            SOURCE Barcelona 2011               Planting a “Persistent Mine”            ...
ACROS PUBLIC   Page 31   SOURCE Barcelona 2011
ACROS PUBLIC                                Page 32                           SOURCE Barcelona 2011                       ...
ACROS PUBLIC                                   Page 33                           SOURCE Barcelona 2011                    ...
ACROS PUBLIC                                   Page 34                  SOURCE Barcelona 2011                             ...
ACROS PUBLIC                                 Page 35                           SOURCE Barcelona 2011                      ...
ACROS PUBLIC               Page 36              SOURCE Barcelona 2011                Pregunt(e|a)s                        ...
Upcoming SlideShare
Loading in...5
×

Advanced (persistent) binary planting

1,556

Published on

SOURCE Barcelona 2011 - Mitja Kolsex

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,556
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Advanced (persistent) binary planting"

  1. 1. ACROS PUBLIC © ACROS Advanced (Persistent) Binary Planting SOURCE Barcelona 2011 Mitja Kolsek ACROS d.o.o. mitja.kolsek@acrossecurity.com www.acrossecurity.com
  2. 2. ACROS PUBLIC Page 2 SOURCE Barcelona 2011 BINARY PLANTING QUICK SUMMARY (DLL hijacking, DLL preloading, Unsafe library loading...)
  3. 3. ACROS PUBLIC Page 3 SOURCE Barcelona 2011 DLL, EXE you bad guy
  4. 4. ACROS PUBLIC Page 4 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
  5. 5. ACROS PUBLIC Page 5 SOURCE Barcelona 2011 EXE Search Order CreateProcess(“SomeApp.exe”) 1. The directory from which the application loaded 2. Current Working Directory (CWD) 3. C:WindowsSystem32 4. C:WindowsSystem 5. C:Windows 6. PATH
  6. 6. ACROS PUBLIC Page 6 SOURCE Barcelona 2011 EXE Search Order ShellExecute(“SomeApp.exe”) 1. Current Working Directory (CWD) 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. PATH
  7. 7. ACROS PUBLIC Page 7 SOURCE Barcelona 2011 Our Past Research • Extended scope: Launching EXEs • Improved attack vector: WebDAV • We looked at 200+ leading Windows apps • Found 500+ binary planting bugs (120+ EXE, 400+ DLL) • Guidelines for developers http://www.binaryplanting.com/guidelinesDevelopers.htm • Guidelines for administrators http://www.binaryplanting.com/guidelinesAdministrators.htm • Free Online Binary Planting Exposure Test http://www.binaryplanting.com/test.htm • Advanced binary planting (COM-Servers) • Executing code through IE8 on Windows XP – two clicks only • Executing code through IE9 on Windows 7 – right click, add to archive
  8. 8. ACROS PUBLIC Page 8 SOURCE Barcelona 2011
  9. 9. ACROS PUBLIC Page 9 SOURCE Barcelona 2011 PERSISTENCE #1 - PERSISTENCE IN SOFTWARE #2 – PERSISTENCE ON COMPUTER
  10. 10. ACROS PUBLIC Page 10 SOURCE Barcelona 2011 #1 - PERSISTENCE IN SOFTWARE (Everywhere You Look)
  11. 11. ACROS PUBLIC Page 11 SOURCE Barcelona 2011 Microsoft (Sysinternals) Process Monitor 1. Filter: Path Contains <our-path> 2. Launch Application 3. Exclude irrelevant entries 4. Look for DLL and EXE accesses 5. Plant DLL/EXE 6. Re-launch Application 7. If successful, see call stack
  12. 12. ACROS PUBLIC Page 12 SOURCE Barcelona 2011 Example: Real Player I used to load rio500.dll from CWD. Wait... I still do. Publicly reported in February 2010 by Taeho Kwon and Zhendong Su http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
  13. 13. ACROS PUBLIC Page 13 SOURCE Barcelona 2011
  14. 14. ACROS PUBLIC Page 14 SOURCE Barcelona 2011 False Positives
  15. 15. ACROS PUBLIC Page 15 SOURCE Barcelona 2011
  16. 16. ACROS PUBLIC Page 16 SOURCE Barcelona 2011 Hidden & Remote
  17. 17. ACROS PUBLIC Page 17 SOURCE Barcelona 2011
  18. 18. ACROS PUBLIC Page 18 SOURCE Barcelona 2011 Cleaning The Table
  19. 19. ACROS PUBLIC Page 19 SOURCE Barcelona 2011
  20. 20. ACROS PUBLIC Page 20 SOURCE Barcelona 2011 Real Player on Windows XP (mpeg)
  21. 21. ACROS PUBLIC Page 21 SOURCE Barcelona 2011 Real Player on Windows XP (avi)
  22. 22. ACROS PUBLIC Page 22 SOURCE Barcelona 2011 Example: Opera I fixed a DLL hijacking bug but what the heck is this “EXE planting”? Windows XP: dwmapi.dll (fixed in 10.62)
  23. 23. ACROS PUBLIC Page 23 SOURCE Barcelona 2011
  24. 24. ACROS PUBLIC Page 24 SOURCE Barcelona 2011 Binary Planting Issues Found Real Player • WinXP: RealPlay.exe loading planted rapi.dll upon startup • Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup • RealPlay.exe loading planted rio500.dll upon exit • RealPlay.exe loading planted rio300.dll upon exit • RealShare.exe loading planted pnrs3260.dll upon startup Opera • WinXP: Opera.exe loading planted rundll32.exe upon opening a downloaded ZIP
  25. 25. ACROS PUBLIC Page 25 SOURCE Barcelona 2011 #2 - PERSISTENCE ON COMPUTER (Turning Downloads Folder Into a Minefield)
  26. 26. ACROS PUBLIC Page 26 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
  27. 27. ACROS PUBLIC Page 27 SOURCE Barcelona 2011
  28. 28. ACROS PUBLIC Page 28 SOURCE Barcelona 2011 Planting a “Persistent Mine” (cryptbase.dll)
  29. 29. ACROS PUBLIC Page 29 SOURCE Barcelona 2011
  30. 30. ACROS PUBLIC Page 30 SOURCE Barcelona 2011 Planting a “Persistent Mine” (msiexec.exe)
  31. 31. ACROS PUBLIC Page 31 SOURCE Barcelona 2011
  32. 32. ACROS PUBLIC Page 32 SOURCE Barcelona 2011 Downloads folder “mine field” problem Why is it cool? Persistent – “download today, exploit months later” Installers usually get elevated privileges Whose fault is it? Installers loading DLLs from their neighborhood is expected behavior Browsers keep downloads on disk until manually deleted Chrome download dialog is clickjackable Chrome trusts EXE files from already visited sites InstallShield calls “msiexec.exe” without full path How could it be fixed? All downloaded executables should have modified names: Cryptbase(0).dll, msiexec(0).exe
  33. 33. ACROS PUBLIC Page 33 SOURCE Barcelona 2011 Binary Planting: Guidelines For Researchers Stay current Make sure you’re working with the latest version of the product Make sure your O/S is up to date Try different O/S versions Different DLLs, different drivers, codecs etc. Try different data files Different formats (file extensions), different content Try it from remote ShellExecute will issue a security warning when launching from a share Locate the culprit Check the call stack to find which module is responsible for the bug, then check the module’s details to find the author
  34. 34. ACROS PUBLIC Page 34 SOURCE Barcelona 2011 Binary Planting: Guidelines For Developers Use only absolute paths LoadLibrary(“relative.dll”) - FAIL CreateProcess(“notepad.exe”) – FAIL ShellExecute(“cmd.exe”) - FAIL CWD use Set CWD to a safe location, quickly Call SetDllDirectory(“”) Observe file system operations on all supported O/S versions Different DLLs, different drivers, codecs etc. Maximize code coverage Different formats (file extensions), different content
  35. 35. ACROS PUBLIC Page 35 SOURCE Barcelona 2011 Resources Tools Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645 Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028 Files “Malicious” DLL www.binaryplanting.com/demo/windows_address_book/wab32res.dll www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll “Malicious” EXE: C:WindowsSystem32calc.exe (what else?) Knowledge www.binaryplanting.com blog.acrossecurity.com
  36. 36. ACROS PUBLIC Page 36 SOURCE Barcelona 2011 Pregunt(e|a)s Mitja Kolsek ACROS d.o.o. www.acrossecurity.com mitja.kolsek@acrossecurity.com Twitter: @acrossecurity
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×