The Anatomy of COM Server-Based Binary Planting Exploits

Discussion in 'other security issues & news' started by Hungry Man, Sep 17, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html?m=1

    Among other attacks.



    How To Protect Yourself?

    Apart from our generic recommendations for administrators, a couple of additional temporary measures will protect you from the attacks described in this post (but unfortunately not from numerous similar attacks):


    On Windows XP, delete the {42071714-76d4-11d1-8b24-00a0c9068ff3} registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
    On Windows 7, copy ehTrace.dll from C:\Windows\ehome to the System32 folder.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Hungry Man

    Thanks for posting :thumb: Interesting.

    *

    Tried both POC's on XP/SP2 with NO updates & IE6 with NO updates, scripting on Prompt & NO WebDAV here.

    Online POC

    ie1.gif

    Mouse over

    ie2.gif

    I couldn't minimize IE6 ? but was able to exit OK. No files showing or DL'd ?

    DL'd the Offline POC & unzipped the XP_2-click Folder = Readme.txt & 5 x HTML.lnk's & Folder named files.{42071714-76d4-11d1-8b24-00a0c9068ff3}

    files.gif

    Only inner.html did anything when launched. I could just make the 2 files to the extreme left of the screen, due to them being mainly obscrured. I dragged them over to SAVE to my desktop.

    wri.gif

    dp.gif

    Nothing else happend or was visable ?

    Only 3 sample document.wri was there for Saving/Running, out of the 3 in total in the folder, along with deskpan.dll in there.

    MORE
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    When i opened the saved desktop 3 sample document.wri in Wordpad, it was blank. However when i opened in turn all 3 .wri's from within the Folder files.{42071714-76d4-11d1-8b24-00a0c9068ff3} each time i got this

    hacked.gif

    Obviously due to deskpan.dll being in the same location.

    *

     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thank you for that. Good stuff.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    SRP with DLLs under Designated File Types will protect against this right? (tried enforcing libraries, but that cause problems). What about Comodo Defense+ with Sandbox (Limited)?
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Hungry Man :thumb:

    @ J_L Don't know Sir ! But i would have thought some members on here would ?
     
Loading...
Thread Status:
Not open for further replies.