Re: [Full-disclosure] COM Server-Based Binary Planting ProofOfConcept

[Mitja Kolsek <mitja.kolsek () acros si>]

Dan,

> 1) Are you sure a stock build of Windows doesn't pop a security
> warning when right clicking the file:// IFRAME?  You might have munged
> your test OS.

IE allows you to right-click on a folder (but not on a file or on the  
"background") inside a file:// iframe without popping up a security  
warning. No idea why but it does.

> 2) You're getting closer with this "Send To" stuff, but you're still
> socially engineering.  Definitely better than classic "please download
> and execute this file" though.

I personally think that the "click twice on this web page" exploit  
that we released today requires even less social engineering than the  
"Send to" one.

> You really should stop talking about exploits against Powerpoint etc.
> As long as I can make an .exe that visually looks pixel for pixel like
> a .ppt, the security model you imagine (that the desktop can
> differentiate between code execution and document editing) doesn't
> exist.

I can partly agree with this for local attacks where attacker places a  
malicious file - be it .ppt or .exe - somewhere on user's computer or  
USB drive and get the user to double-click it. With a remote attack of  
this type, Windows Explorer will issue a security warning if you  
double-click an .exe on a remote share, but will let you double-click  
a .ppt without such warning. It's hard to say what percentage of users  
would actually be stopped by such warning but I'd consider it a part  
of the security model.

Another case where a malicious .ppt lookalike executable would be  
thwarted but binary planting may not be is with Windows Software  
Restriction Policy or Windows AppLocker. In their default  
configurations, both stop launching EXEs from untrusted locations, but  
don't stop loading DLLs from arbitrary folders. So double-clicking on  
a .ppt lookalike executable would be blocked, but a malicious DLL next  
to a real .ppt file wouldn't be. But again, no idea as to how many/few  
computers use this protection.

> This work is better, if incomplete.

Security research is never complete, so we settle for constant improvement.

Cheers,
Mitja

> On Thu, Jun 2, 2011 at 9:32 AM, Mitja Kolsek <mitja.kolsek () acros si> wrote:
> > Thor, the "Online Proof of Concept" section of the blog post points  
> > you to a *remote*
> > exploit (without any warning) but let me repeat the link here:
> >
> > http://www.binaryplanting.com/demo/XP_2-click/test.html
> >
> > Visit this with IE8 on 32-bit Windows XP.
> >
> > Please find further information here:
> >
> > http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html
> > http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html
> >
> > In general there are two types of remote binary planting exploits:  
> > SMB and WebDAV.
> > The former works inside (local) networks where firewalls block  
> > outbound SMB traffic.
> > WebDAV attacks work through firewalls too since many firewalls  
> > allow outbound WebDAV
> > traffic and Windows silently fall back to WebDAV if SMB doesn't  
> > work. If our online
> > remote exploit doesn't work for you, you can download the PoC  
> > locally and test it in
> > your local network.
> >
> > I'll be happy to explain it to you further if need be.
> >
> > Thanks,
> > Mitja
> >
> >
> > > -----Original Message-----
> > > From: Thor (Hammer of God) [mailto:thor () hammerofgod com]
> > > Sent: Thursday, June 02, 2011 6:00 PM
> > > To: security () acrossecurity com; 'Dan Kaminsky'
> > > Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com
> > > Subject: RE: [Full-disclosure] COM Server-Based Binary
> > > Planting ProofOfConcept
> > >
> > > But it *is* worth mentioning that you have to create the
> > > malicious dll file, copy it to the system, create folders
> > > etc, and all the other mumbo jumbo to "exploit" this in the
> > > "default configuration."   So, the answer to Dan's question
> > > is actually, "no, you can't."  Which brings into question the
> > > actual "worth" of mentioning this in the first place. :)
> > >
> > > t
> > >
> > > > -----Original Message-----
> > > > From: full-disclosure-bounces () lists grok org uk
> > > > [mailto:full-disclosure- bounces () lists grok org uk] On
> > > Behalf Of ACROS
> > > > Security Lists
> > > > Sent: Thursday, June 02, 2011 8:42 AM
> > > > To: 'Dan Kaminsky'; security () acrossecurity com
> > > > Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com
> > > > Subject: Re: [Full-disclosure] COM Server-Based Binary
> > > Planting Proof
> > > > OfConcept
> > > >
> > > > It would hardly be worth mentioning otherwise.
> > > >
> > > > Cheers,
> > > > Mitja
> > > >
> > > > > -----Original Message-----
> > > > > From: full-disclosure-bounces () lists grok org uk
> > > > > [mailto:full-disclosure-bounces () lists grok org uk] On
> > > Behalf Of Dan
> > > > > Kaminsky
> > > > > Sent: Thursday, June 02, 2011 5:36 PM
> > > > > To: security () acrossecurity com
> > > > > Cc: si-cert () arnes si; full-disclosure () lists grok org uk;
> > > > > bugtraq () securityfocus com; cert () cert org
> > > > > Subject: Re: [Full-disclosure] COM Server-Based Binary Planting
> > > > > Proof OfConcept
> > > > >
> > > > > Does this run code without prompting, on a reasonably default
> > > > > configuration?
> > > > >
> > > > > On Thu, Jun 2, 2011 at 7:52 AM, ACROS Security Lists
> > > > > <lists () acros si>
> > > > > wrote:
> > > > > >
> > > > > > We published a remote/local proof of concept for the COM
> > > > > Server-Based
> > > > > > Binary Planting exploit presented at the Hack in the Box
> > > > > conference in Amsterdam.
> > > > > >
> > > > > > Feel free to try it out online if WebDAV works through your
> > > > > firewall,
> > > > > > or download it and test it in your local network or simply
> > > > > on your computer.
> > > > > >
> > > > > >
> > > > >
> > > http://blog.acrossecurity.com/2011/06/com-server-based-binary-planti
> > > > > ng
> > > > > > -proof.html
> > > > > > or
> > > > > > http://bit.ly/iSxHKO
> > > > > >
> > > > > > Best regards,
> > > > > >
> > > > > > Mitja Kolsek
> > > > > > CEO&CTO
> > > > > >
> > > > > > ACROS, d.o.o.
> > > > > > Makedonska ulica 113
> > > > > > SI - 2000 Maribor, Slovenia
> > > > > > tel: +386 2 3000 280
> > > > > > fax: +386 2 3000 282
> > > > > > web: http://www.acrossecurity.com
> > > > > >
> > > > > > ACROS Security: Finding Your Digital Vulnerabilities Before
> > > > > Others Do
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Full-Disclosure - We believe in it.
> > > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > > >
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/