The Anatomy of COM Server-Based Binary Planting Exploits

Discussion in 'other security issues & news' started by Hungry Man, Sep 17, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html?m=1

    Among other attacks.



    How To Protect Yourself?

    Apart from our generic recommendations for administrators, a couple of additional temporary measures will protect you from the attacks described in this post (but unfortunately not from numerous similar attacks):


    On Windows XP, delete the {42071714-76d4-11d1-8b24-00a0c9068ff3} registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
    On Windows 7, copy ehTrace.dll from C:\Windows\ehome to the System32 folder.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    @ Hungry Man

    Thanks for posting :thumb: Interesting.

    *

    Tried both POC's on XP/SP2 with NO updates & IE6 with NO updates, scripting on Prompt & NO WebDAV here.

    Online POC

    ie1.gif

    Mouse over

    ie2.gif

    I couldn't minimize IE6 ? but was able to exit OK. No files showing or DL'd ?

    DL'd the Offline POC & unzipped the XP_2-click Folder = Readme.txt & 5 x HTML.lnk's & Folder named files.{42071714-76d4-11d1-8b24-00a0c9068ff3}

    files.gif

    Only inner.html did anything when launched. I could just make the 2 files to the extreme left of the screen, due to them being mainly obscrured. I dragged them over to SAVE to my desktop.

    wri.gif

    dp.gif

    Nothing else happend or was visable ?

    Only 3 sample document.wri was there for Saving/Running, out of the 3 in total in the folder, along with deskpan.dll in there.

    MORE
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    When i opened the saved desktop 3 sample document.wri in Wordpad, it was blank. However when i opened in turn all 3 .wri's from within the Folder files.{42071714-76d4-11d1-8b24-00a0c9068ff3} each time i got this

    hacked.gif

    Obviously due to deskpan.dll being in the same location.

    *

     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thank you for that. Good stuff.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    SRP with DLLs under Designated File Types will protect against this right? (tried enforcing libraries, but that cause problems). What about Comodo Defense+ with Sandbox (Limited)?
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    @ Hungry Man :thumb:

    @ J_L Don't know Sir ! But i would have thought some members on here would ?
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.