The Anatomy of COM Server-Based Binary Planting Exploits

http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html?m=1

Among other attacks.



How To Protect Yourself?

Apart from our generic recommendations for administrators, a couple of additional temporary measures will protect you from the attacks described in this post (but unfortunately not from numerous similar attacks):


On Windows XP, delete the {42071714-76d4-11d1-8b24-00a0c9068ff3} registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
On Windows 7, copy ehTrace.dll from C:\Windows\ehome to the System32 folder.

 

@ Hungry Man

Thanks for posting Interesting.

*

Tried both POC's on XP/SP2 with NO updates & IE6 with NO updates, scripting on Prompt & NO WebDAV here.

Online POC



Mouse over



I couldn't minimize IE6 ? but was able to exit OK. No files showing or DL'd ?

DL'd the Offline POC & unzipped the XP_2-click Folder = Readme.txt & 5 x HTML.lnk's & Folder named files.{42071714-76d4-11d1-8b24-00a0c9068ff3}



Only inner.html did anything when launched. I could just make the 2 files to the extreme left of the screen, due to them being mainly obscrured. I dragged them over to SAVE to my desktop.





Nothing else happend or was visable ?

Only 3 sample document.wri was there for Saving/Running, out of the 3 in total in the folder, along with deskpan.dll in there.

MORE

 

When i opened the saved desktop 3 sample document.wri in Wordpad, it was blank. However when i opened in turn all 3 .wri's from within the Folder files.{42071714-76d4-11d1-8b24-00a0c9068ff3} each time i got this



Obviously due to deskpan.dll being in the same location.

*

 

Thank you for that. Good stuff.

 

SRP with DLLs under Designated File Types will protect against this right? (tried enforcing libraries, but that cause problems). What about Comodo Defense+ with Sandbox (Limited)?

 

@ Hungry Man

@ J_L Don't know Sir ! But i would have thought some members on here would ?