2. ACROS PUBLIC Page 2 SOURCE Barcelona 2011
BINARY PLANTING
QUICK SUMMARY
(DLL hijacking, DLL preloading,
Unsafe library loading...)
3. ACROS PUBLIC Page 3 SOURCE Barcelona 2011
DLL, EXE
you
bad guy
4. ACROS PUBLIC Page 4 SOURCE Barcelona 2011
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded
2. C:WindowsSystem32
3. C:WindowsSystem
4. C:Windows
5. Current Working Directory (CWD)
6. PATH
5. ACROS PUBLIC Page 5 SOURCE Barcelona 2011
EXE Search Order
CreateProcess(“SomeApp.exe”)
1. The directory from which the application loaded
2. Current Working Directory (CWD)
3. C:WindowsSystem32
4. C:WindowsSystem
5. C:Windows
6. PATH
6. ACROS PUBLIC Page 6 SOURCE Barcelona 2011
EXE Search Order
ShellExecute(“SomeApp.exe”)
1. Current Working Directory (CWD)
2. C:WindowsSystem32
3. C:WindowsSystem
4. C:Windows
5. PATH
7. ACROS PUBLIC Page 7 SOURCE Barcelona 2011
Our Past Research
• Extended scope: Launching EXEs
• Improved attack vector: WebDAV
• We looked at 200+ leading Windows apps
• Found 500+ binary planting bugs (120+ EXE, 400+ DLL)
• Guidelines for developers
http://www.binaryplanting.com/guidelinesDevelopers.htm
• Guidelines for administrators
http://www.binaryplanting.com/guidelinesAdministrators.htm
• Free Online Binary Planting Exposure Test
http://www.binaryplanting.com/test.htm
• Advanced binary planting (COM-Servers)
• Executing code through IE8 on Windows XP – two clicks only
• Executing code through IE9 on Windows 7 – right click, add to archive
9. ACROS PUBLIC Page 9 SOURCE Barcelona 2011
PERSISTENCE
#1 - PERSISTENCE IN SOFTWARE
#2 – PERSISTENCE ON COMPUTER
10. ACROS PUBLIC Page 10 SOURCE Barcelona 2011
#1 - PERSISTENCE IN SOFTWARE
(Everywhere You Look)
11. ACROS PUBLIC Page 11 SOURCE Barcelona 2011
Microsoft (Sysinternals) Process Monitor
1. Filter: Path Contains <our-path>
2. Launch Application
3. Exclude irrelevant entries
4. Look for DLL and EXE accesses
5. Plant DLL/EXE
6. Re-launch Application
7. If successful, see call stack
12. ACROS PUBLIC Page 12 SOURCE Barcelona 2011
Example: Real Player
I used to load
rio500.dll from CWD.
Wait... I still do.
Publicly reported in February 2010
by Taeho Kwon and Zhendong Su
http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
20. ACROS PUBLIC Page 20 SOURCE Barcelona 2011
Real Player on Windows XP (mpeg)
21. ACROS PUBLIC Page 21 SOURCE Barcelona 2011
Real Player on Windows XP (avi)
22. ACROS PUBLIC Page 22 SOURCE Barcelona 2011
Example: Opera
I fixed a DLL hijacking
bug but what
the heck is this
“EXE planting”?
Windows XP: dwmapi.dll (fixed in 10.62)
24. ACROS PUBLIC Page 24 SOURCE Barcelona 2011
Binary Planting Issues Found
Real Player
• WinXP: RealPlay.exe loading planted rapi.dll upon startup
• Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup
• RealPlay.exe loading planted rio500.dll upon exit
• RealPlay.exe loading planted rio300.dll upon exit
• RealShare.exe loading planted pnrs3260.dll upon startup
Opera
• WinXP: Opera.exe loading planted rundll32.exe upon opening a
downloaded ZIP
25. ACROS PUBLIC Page 25 SOURCE Barcelona 2011
#2 - PERSISTENCE ON COMPUTER
(Turning Downloads Folder
Into a Minefield)
26. ACROS PUBLIC Page 26 SOURCE Barcelona 2011
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded
2. C:WindowsSystem32
3. C:WindowsSystem
4. C:Windows
5. Current Working Directory (CWD)
6. PATH
32. ACROS PUBLIC Page 32 SOURCE Barcelona 2011
Downloads folder “mine field” problem
Why is it cool?
Persistent – “download today, exploit months later”
Installers usually get elevated privileges
Whose fault is it?
Installers loading DLLs from their neighborhood is expected behavior
Browsers keep downloads on disk until manually deleted
Chrome download dialog is clickjackable
Chrome trusts EXE files from already visited sites
InstallShield calls “msiexec.exe” without full path
How could it be fixed?
All downloaded executables should have modified names:
Cryptbase(0).dll, msiexec(0).exe
33. ACROS PUBLIC Page 33 SOURCE Barcelona 2011
Binary Planting: Guidelines For Researchers
Stay current
Make sure you’re working with the latest version of the product
Make sure your O/S is up to date
Try different O/S versions
Different DLLs, different drivers, codecs etc.
Try different data files
Different formats (file extensions), different content
Try it from remote
ShellExecute will issue a security warning when launching from a share
Locate the culprit
Check the call stack to find which module is responsible for the bug, then
check the module’s details to find the author
34. ACROS PUBLIC Page 34 SOURCE Barcelona 2011
Binary Planting: Guidelines For Developers
Use only absolute paths
LoadLibrary(“relative.dll”) - FAIL
CreateProcess(“notepad.exe”) – FAIL
ShellExecute(“cmd.exe”) - FAIL
CWD use
Set CWD to a safe location, quickly
Call SetDllDirectory(“”)
Observe file system operations on all supported O/S versions
Different DLLs, different drivers, codecs etc.
Maximize code coverage
Different formats (file extensions), different content
35. ACROS PUBLIC Page 35 SOURCE Barcelona 2011
Resources
Tools
Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645
Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028
Files
“Malicious” DLL
www.binaryplanting.com/demo/windows_address_book/wab32res.dll
www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll
“Malicious” EXE: C:WindowsSystem32calc.exe (what else?)
Knowledge
www.binaryplanting.com
blog.acrossecurity.com
36. ACROS PUBLIC Page 36 SOURCE Barcelona 2011
Pregunt(e|a)s
Mitja Kolsek
ACROS d.o.o.
www.acrossecurity.com
mitja.kolsek@acrossecurity.com
Twitter: @acrossecurity