The Anatomy of COM Server-Based Binary Planting Exploits

Hungry Man · #1 September 17th, 2011, 04:09 PM

http://blog.acrossecurity.com/2011/0...inary.html?m=1

Quote:

The following video shows how a user would experience the attack. Visiting a malicious web site, clicking once on one link, and again on another, is enough to get a remote binary executed on his computer.

Among other attacks.

How To Protect Yourself?

Apart from our generic recommendations for administrators, a couple of additional temporary measures will protect you from the attacks described in this post (but unfortunately not from numerous similar attacks):

On Windows XP, delete the {42071714-76d4-11d1-8b24-00a0c9068ff3} registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
On Windows 7, copy ehTrace.dll from C:\Windows\ehome to the System32 folder.

CloneRanger · #2 September 17th, 2011, 11:11 PM

@ Hungry Man

Thanks for posting

Interesting.

Quote:

COM Server-Based Binary Planting Proof Of Concept

For educational purposes we decided to publish a proof of concept (PoC) for the COM Server-Based Binary Planting attacks described in our previous post. We prepared both online and offline versions for 32-bit Windows XP running Internet Explorer 8.

Online Proof of Concept

Visit \\www.binaryplanting.com\demo\XP_2-click\test.html (with Internet Explorer) and follow instructions. You must have WebDAV communication with the Internet enabled and must not have the CWDIllegalInDllSearch hotfix installed.

Offline Proof of Concept

Download a ZIP archive of the PoC here, extract it and follow the instructions in readme.txt. You can test the PoC either from a local network share or locally on a single Windows XP machine.

http://blog.acrossecurity.com/2011/0...ing-proof.html

*

Tried both POC's on XP/SP2 with NO updates & IE6 with NO updates, scripting on Prompt & NO WebDAV here.

Online POC

Click image for larger version

Name: ie1.gif
Views: 1
Size: 9.7 KB
ID: 229314

Mouse over

Click image for larger version

Name: ie2.gif
Views: 3
Size: 19.9 KB
ID: 229315

I couldn't minimize IE6 ? but was able to exit OK. No files showing or DL'd ?

DL'd the Offline POC & unzipped the XP_2-click Folder = Readme.txt & 5 x HTML.lnk's & Folder named files.{42071714-76d4-11d1-8b24-00a0c9068ff3}

Name: files.gif
Views: 116
Size: 5.5 KB

Only inner.html did anything when launched. I could just make the 2 files to the extreme left of the screen, due to them being mainly obscrured. I dragged them over to SAVE to my desktop.

Name: wri.gif
Views: 117
Size: 42.6 KB

Nothing else happend or was visable ?

Only 3 sample document.wri was there for Saving/Running, out of the 3 in total in the folder, along with deskpan.dll in there.

MORE

CloneRanger · #3 September 17th, 2011, 11:15 PM

When i opened the saved desktop 3 sample document.wri in Wordpad, it was blank. However when i opened in turn all 3 .wri's from within the Folder files.{42071714-76d4-11d1-8b24-00a0c9068ff3} each time i got this

Name: hacked.gif
Views: 116
Size: 48.6 KB

Name: hacked.gif
Views: 116
Size: 48.6 KB

Obviously due to deskpan.dll being in the same location.

*

Quote:

Microsoft's Binary Planting Clean-Up Mission

Slow, But Moving In The Right Direction

Since our presentation of COM server-based binary planting exploits at the Hack in the Box conference in May this year, Microsoft has introduced a number of relevant changes to Windows and Internet Explorer. To refresh our memory:

http://blog.acrossecurity.com/2011/0...-clean-up.html

Hungry Man · #4 September 17th, 2011, 11:55 PM

Thank you for that. Good stuff.

J_L · #5 September 18th, 2011, 12:45 AM

SRP with DLLs under Designated File Types will protect against this right? (tried enforcing libraries, but that cause problems). What about Comodo Defense+ with Sandbox (Limited)?

CloneRanger · #6 September 19th, 2011, 01:18 AM

@ Hungry Man

@ J_L Don't know Sir ! But i would have thought some members on here would ?

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search