3. How they do it
• Target memory corruption
• X% fuzzing + Y% static analysis
– Only combination is viable
– Other approaches are inmature
• Fuzzing: massive overhead
– Set up a framework
– Develop patterns/heuristics !!
– Take machine time
– Analyze crash dumps !
– Exploit, bypass DEP/ASLR/Sandbox !!!
• Perspective
– protections harden
– need more and more time to succeed
– and resources to begin with
4. Perspective vectors
• By-design vulnerabilities
– E.g. DLL Hijacking, UI
redressing, LD_LIBRARY_PATH…
• Sandbox bypass for complex systems
– E.g. JAVA: bypass SecurityManager -> full
privileges for unsigned applet -> win
• Certificates
– E.g. Adobe PDF: signed document -> trusted
document -> full-privileged JavaScript -> win
5. Why DLL Hijacking?
• Test hacking skills!
– Succeed with a blind alley before hitting the highway
• Looks easy
– Plenty of previous research, e.g. binaryplanting.com
– Interns must do research, too
• Real world targetted attacks: CVE-2011-1980, CVE-2011-
1991, CVE-2011-2100
– They work
• MS12-046 vbe6.dll
– They still exist!
• OS behaviour undocumented
– There is place for research
6. Research focus
• Top, clean platforms
– Windows 7
– Windows XP
– Office 2010
– Office 2007
– Adobe Acrobat/Reader
• Find a new remote delivery vector
– Not a “.dll” in e-mail attachment
– Not a “.dll” in a network share
• Find something yet unfound
7. Tech recap
• Exe -> dll by relative path
• DLL Search Order
• Current Directory (CD) – MS DOS rudiment
• Default: app path
• File open: file path
• Some other changes
• Exploitation profit: Bypass
restrictions, LPE, RCE
• Vectors: local, local network, client-side
8. Advantages
• 100% stable exploit
• 100% silent execution on non-supported
targets
• Very little overhead
• No mess with protections
• ! Not fixable globally with simple measures
like DEP/ASLR
– Only developers education can help
– Will reappear in new software forever
9. Challenges
• Search
– “Trivial => already found” myth
• Exploitation
– Nobody ever tried to manipulate CD
• User interaction
– Triggered by clicking menus… now what?
• Masking / delivery
– Document + DLL binding looks suspicious
18. CD internals - 2
• MSDN: “it is the directory in which the active application
started, unless it has been explicitly changed“ – actually no
• Way of starting an app affects CD
– App exec default: app dir
– App exec: SoftwareMicrosoftWindowsCurrentVersionApp Paths
– Exec by lnk: lnk dir
– Document open: document dir
– CreateProcess(): lpCurrentDirectory
• CD set internally by some API
– GetOpenFileName() / GetSaveFileName()
– FindFirstFile() / FindNextFile() (presumably)
• Many file system APIs depend on CD
– So developers call SetCurrentDirectory() every now and then
22. Remote exploitation
• Just open a document (the lucky case)
• Make user Open/Save/Import/Export files, then
trigger
• Or automate file operations with a script
• Induce an app state with CD changed by
developer
• Set CD explicitly
• Find an app that CreateProcess()-es vulnerable
app with good CD
27. Browser UI redressing
• IE9 on Windows 7
• Context: Local directory, network shared
directory, WebDAV
• Explorer dir underneath a website
• Demo
• Also works in Chrome on Windows 7, but
restricted to file download operations
28. Browser UI redressing (2)
• Chrome on Windows 7
• Context: remote
• Web server directory underneath a website
• Click-jacking game to silently download
necessary files one-by-one
• Until all files are saved in %Downloads%
• Open exploit document
29. Set CD macro (MS Office)
• Context: local dir, network shared dir
• You can just execute arbitrary DLL from a
macro
• But better to execute a
kernel32!SetCurrentDirectory() API to fool
forensic analysts
• Demo
30. MHT
• Single file in e-mail attachment
• Can contain any types of files, incl. binary
• Browser extracts files to %INET_TMP%
• Open exploit document by clicking <a
href=“.filesdocument.txt”
• Exploit DLL will be executed from the same
directory
• IE9 on Windows 7
31. Archives
• Any archives for Windows that extract all
files by default? Not SFX of course
• WinRAR (latest): browse archive, double-
click a HTML document only
– Will extract ALL files into %TMP%
– Including exploit DLL
– Local browser context already
33. Multistage
• Case: DLL triggered by manual file import, no
registered extension handler – unexploitable?
• Stage 1: User gets an e-mail from admin (fake)
instructing to install the attached reg-file (looks
innocent)
• In two weeks, stage 2: user gets an e-mail from
a friend with a RAR-ed html game
• Click-jacked open file -> exploit
• Or open file via network share
• As simple as the user is
34. So, what do we have?
• Some 0-day vulnerabilities in up-to-date top
platforms
– Think of non-top software
• Ways to manipulate CD
• Ways to hide DLL
• Remote DLL Hijacking exploitation looks like
normal client-side exploitation
• What else?
35. Conclusions
• Is this a good vector for mass attacks?
– Authors of CVE-2011-1991, 1980, 2100 could tell us for sure
– I say no
– 0-day exploits are not necessary for mass attacks
anyway
• Excellent vector for rapid targeted/onsite attacks
– Plenty of vulnerabilities everywhere
– Easy ‘n fast to find in arbitrary environment
– Ease ‘n fast to exploit (after this presentation )
• Even the most trivial bug can be worked down to a
good exploit