March 21, 2005Using Image File Execution options as an Attack Vector on WindowsToday I was discussing a previous entry I wrote on why using CreateProcess is better than ShellExecute when I was informed by tenfour that I am missing a critical piece of the puzzle. That even with CreateProcess, you can EASILY redirect an executable and use misdirection threats just as you could with shell file extensions. In other words, you can't actually trust where an executable is starting up from, and if its the right executable in the first place. I will leave the actual usage of this attack vector up to the reader, as I really don't wish to provide working code for the script kiddies out there. On top of that, for this vector to be exploited you must have Administrator privileges already. Yet another reason why you should run as a normal user on your system. Anyways, the trick for redirecting a process loading is to attach it to the Image File Execution options within the Windows registry. By simply mapping the executable name to a different debugger source, you can actually load something else entirely. Let me give you a proof of concept:
Now to be fair, this isn't going to elevate your privileges or expose you to any more risk relating to malicious code that couldn't already be executed on your account. But with that said, this has the potential of SERIOUS effects for social engineering hacks and hostile code start points. As an example, spyware doesn't have to worry about trying to hide and start execution in the Run/RunOnce keys when they could simply tag to a common exe that starts up, and on startup spawn the real executable after doing its bidding. I will leave that to the reader to think about. This is one of the reasons I control application startup behavior in the kernel using a digital fingerprint (an MD5 checksum actually). You don't have to worry about the reparse point of the startup location, and you can simply STOP the execution of applications that have no right to start up. Once attackers start thinking about ways to exploit this, it could get pretty interesting. So what have we learned here? Well first off, its difficult to trust security by path. Secondly, you should be running as a normal user so this sort of attack vector cannot be started. (The DACL on this registry hive would prevent a normal user from touching it). Thirdly, the complexity in behind Windows exposes us to risk when we least expect it. I never even knew about this execution path. Even though my threat models show why its better to use CreateProcessAsUser over ShellExecute, it never even CONSIDERED this. I learn something new every day. Hope you do too. Posted by SilverStr at March 21, 2005 03:43 PM | TrackBackComments
wow... That was interesting, and i am glad that i learnt that today. I do use GPO's with hash based certification of applications. I also use Safer, yet another great thing that MS really needs to push. Even when we have only selected applications to run, just one application can create all holes needed to execute other apps. Firefox allows any user on the system to download extensions that could contain malware. Posted by: Badriram at March 21, 2005 08:30 PM |
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
March 2010
October 2009 August 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 April 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL |