Unpatched DLL bugs let hackers exploit Windows 7 and IE9

Discussion in 'other security issues & news' started by aigle, May 7, 2011.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It might be the same as was used before in the previous "binary planting" vulnerabilities revealed by the same security company. This is their old blog, and their test site. I'm not sure if the tests have been updated:

    Binary Planting Attack Vectors
    http://blog.acrossecurity.com/2010/09/binary-planting-attack-vectors.html

    Online Binary Planting Exposure Tests
    http://www.binaryplanting.com/test.htm

    Binary Planting - Attack Vectors
    http://www.binaryplanting.com/attackVectors.htm#demonstrations

    It seems to be a pretty easy exploit to prevent, not only because of the many steps necessary to get the user to trigger it, but also because any security that blocks unauthorized executables (including DLLs) would snag it at the gate.

    From the article:

    regards,

    -rich
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So... one more against IE's Protected Mode? Security researchers keep finding ways to avoid it. Microsoft will then plug it. Security researchers will find one more hole to plug...

    Microsoft should redesign IE's Protected Mode to work the same way as Chrome's does. Microsoft shouldn't feel ashamed for doing it, after all Google is only making use of Windows own security mechanisms.

    It sure would become harder to be avoided (the sandbox).
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    Thanks for the test links :thumb: Don't remember doing them before, may have forgotten though as i've done that many ;)

    Anyway, i tried ALL the ones i could for XP & IE6, NONE worked :D

    I don't have ANY updates for XP or IE6 either !

    Here's a few test results

    wpgif.gif

    I know it's Wordpad not Word, but thought it "might" work

    Not Adobe, but still

    pdf.gif
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, actually the word 'dll' in any exploit gets my imeediate attention.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, you have to use the vulnerable applications, which is why I never got any of the POCs to work in 2010. The PDF wouldn't even open in my version 6 of the Adobe Reader. However, now I have a newer version and I see that the URI plugin cannot connect out automatically, as is also the case with Foxit that you show.

    This is the code in the PDF:

    Code:
    URI(file:////www.binaryplanting.com/demo/windows_address_book)/S/URI
    
    Not only that, if I allow the action, the firewall intercepts the outbound connection,
    so the auto-infect threat fails on two counts:

    binaryplanting-pdf.gif

    Likewise, with the other attack vectors:

    Binary Planting Through COM Servers
    http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html
    My version of MSWord isn't vulnerable and I don't use Powerpoint, so I set up my own test to see if a DLL could be loaded, and it cannot:

    testdocAE2.gif

    From the computerworld article:
    Also, no go:

    hmmapiblock.gif

    I submit that it doesn't matter what the triggering mechanism (remote code execution) is:
    Unauthorized DLLs either can or cannot load. There is no in-between.

    I'll be interested to see what new scenarios emerge at the conference, and whether or not
    the presenters can show other attack vectors that would affect me. I hope some of the POCs
    will work with me, because I'm interested to see how the outbound connection to a
    remote server is made. If not by the browser via port 80, the firewall will alert as it did in their PDF POC.

    regards,

    -rich
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Writing your own malware now :D Only kidding ;)

    Yeah, great isn't it :)

    Me too, we'll see ;) I feel confident though :D
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If you are testing white listing security, you don't need a malware executable, just a non-whitelisted executable!

    Note this attack scenario:

    Binary Planting Through COM Servers
    http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html
    In my DLL test, I simulated a process to load and execute with a MSWord document, and I used the Win2K version of the of hmmapi.dll instead of the WinXP version. Not being on my computer's White List, the Win2K version cannot load and execute.

    This preventative measure (White Listing) will not, of course, be discussed at the Black Hat Conference.

    Too bad, because unless something changes, the outlook remains the same as last year:

    Binary Planting Update, Day 7
    Tuesday, August 24, 2010
    http://blog.acrossecurity.com/2010/08/binary-planting-update-day-7.html
    Accepting this dire pronouncement at face value that it is "the best possible workaround," I would feel almost helpless! How could I ever know that some product I'm using might be vulnerable!

    However, in addition to the preventative measures I can employ at the point of attack, I've considered the steps involved to get me to the point of attack (as outlined in the computerworld article.) I wouldn't be inclined to be led that way in the first place.

    For example, even though I opened the POC PDF file, in the real world, I wouldn't open a PDF from an unknown/untrusted source.

    This is why I said that I'm interested in what is revealed at the Conference to see if other methods of attack have been devised/discovered that could trick me.

    regards,

    -rich
     
    Last edited: May 8, 2011
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Sho nuff :thumb:
    That would spoil their fun :D

    Exactly, and most people out there don't check to update their software.

    Only for testing ;)

    Trick you :eek: That'll be the day ;)

    I'll be testing alongside you :thumb:
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, I'm not that complacent! The nature of evil is to trick the unaware, so I want to always be alert to new trickery.

    Having said that, this year it's Win7 and IE9. Next year and the year after, it will be Win___ and IE___ (fill in the blanks)

    Up until recently, a gloating response would have been, "Switch to Mac." Well, we are learning that even that isn't a sure thing (if it ever was). Member kareldjag several years ago wrote, (I paraphrase) that all code has the potential for malicious abuse. Who believed him?

    The only answer for me has been to stay alert and be aware of the exploit attack methods to see if there is anything new (usually not) and to cover myself as best as possible, and let the cat-and-mouse games play themselves out!

    regards,

    -rich
     
    Last edited: May 8, 2011
Loading...
Thread Status:
Not open for further replies.