Monday, August 30, 2010

A summary of DLL hijacking - what did I do...

Workaround 1
1. Install the patch 2264107 and set CWDIllegalInDllSearch=0xFFFFFFFF
Benefit
Could mitigate the risk to very low level.
Impact
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). May break some applications. Potential affected software list could be found in the attachment: “Potentially vulnerable applications.docx”. you can also find it online: http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
--------------------------------------------------------------
Workaround 2
2 .Install the patch 2264107 and set CWDIllegalInDllSearch=1
Benefit
Prevent an application from loading a library from a WebDAV location.
Impact
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). Still vulnerable for Remote file share.
---------------------------------------------------------------
Workaround 3
3. Install the patch 2264107 and set CWDIllegalInDllSearch=2
Benefit
Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location
Impact
1). The patch 2264107 seems to interfere with the Wireless cards, specific to the models: E6400, Wireless Card: 1510
2). Cannot prevent the local dll attack.
---------------------------------------------------------------
Workaround 4
4. Block any outbound connection to a smb/webdav share. Ports are 445 and 135.
Benefit
Prevent the outside attack.
Impact
1). It is not possible to block smb/webdav share in internal network because users need it.
---------------------------------------------------------------

Real world DLL Hijacking samples: (from http://digitalacropolis.us/?p=113)
1. Using a SMB/WebDav shared folder
This is perhaps the most common way dll hijacking is being used, probably because it can be exploited remotely. It works by putting together a malicious dll and a clean file that triggers it inside a share and then making your target open this clean file. Remember a shared folder link always starts with double slashes like \\123.45.67.890. 1.

1). Attacker sends a shared folder link to a victim. Victim opens and sees some .html files and double-clicks one of them. When a vulnerable browser or application opens this file it loads a dll directly from this share, and victim is now infected.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.

2). Attacker posts a link in a forum that looks like an http link but redirects victim to a shared folder. Victim opens a simple .pdf file and gets infected.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.


3). Attacker gains access to a trusty website and puts iframes or redirects to his share. Victim trusts this site and opens an mp3 file inside the shared folder and… gets infected as well.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.


4). Attacker uses the .lnk bug or any browser vulnerability together with any of above examples and thus increase his infect rate.

Workaround: Combine workaround 1 and 4. Or Combine Workaround 3 and 4.
5). Inside attacker put a clean file and a malicious dll to internal file share.

Workaround: 1 or 3.
----------------------------------------------------------
2. A compressed package (.zip, .tar.gz, .rar etc)
This vector can be exploited by putting together a bunch of clean files and a malicious dll inside a compressed folder/package. Target will extract these files and open one of them, getting attacker’s dll loaded.
1). Attacker compresses 30 jpg pictures and a dll in a zip file. Victim extracts everything to a folder and double-clicks one of the pictures. Infected.
Workaround:
1). Workaround 1.
2). Education: Before opening any kind of file, specially downloaded from the internet, check if there’s any dll file in the same directory. Don’t forget to enable show hidden files and show all extensions on your Folder Options. It’s also recommended to move only the files you need to open to another directory created by you. This should make you safe.

--------------------------------------------------------------
3. Torrents
This one is kind of nasty and can be very effective to contaminate large amounts of people. A torrent can contain large numbers of files and can be used to get a malicious dll downloaded together with clean files without being noticed. This is very dangerous, especially if a big torrent tracker or database can be compromised.
1). Attacker posts a custom torrent in a public tracker, which contains a pack of mp3′s and a malicious dll. Victim goes listen it’s new song album and get infected.
2). Attacker gains admin access to a torrent database (this actually happened to ThePirateBay not so long ago) and changes a legitimate high-traffic torrent for an infected one. This could cause a massive infection in a matter of minutes.
Workaround: Do not allow BT and P2P on the perimeter firewall.

----------------------------------------------------------
4. Exploiting multiple application hijacks
Increasing attack success rate for putting multiple dlls to exploit the same file type.
1). Attacker shares a folder which contains a bunch of .avi files and three malicious dlls: one for VLC, other for MediaPlayer Classic and, finally, the last one for Winamp. Attacker can now exploit three apps in the same attack, increasing the chance of victim getting infected.

Workaround: Combine workaround 1 and 4. Or  Combine Workaround 3 and 4.

Friday, August 20, 2010

IE 8 Certificate error and trusted sites grayed out

The problem happened after users started using Windows 7 and IE 8. Some users complained that they cannot access some secure websites especially Self-Signed Certificate websites. With Windows XP and IE 7, they could bypass the Self signed Certificate warning by just clicking the "Continue to this website (not recommended)" link. But now, the link doesn't show up anymore, the only option is "Click here to close this webpage". In addition, the local and trusted sites are grayed out. You can't even add sites to these zones.


After spent hours searching in Google, I was still no lucky. I’ve tried all the solutions that posted online:

1. Clear the boxes for: "Check for publisher's certificate revocation" and "Check for server certificate revocation” in IE security setting.

2. Update for Root Certificates from Microsoft Website.

3. Import the website certificate to trusted root certificates.

4. Modify the Registry key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"Flags"=dword:00000047

Unfortunately none of the above solutions worked for me. I thought I must miss something. Then I realized I might need to look at the local group policy. I didn't consider the group policy because only some computers had the problem, the others were working fine, and they are in the same OU and have the same global group policy.

After I dug into the local group policy, I finally solved the problem:

1. Close all the IE windows.
2. Run gpedit.msc
3. Navigate to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer ->Internet Control Panel
4. Set “Prevent ignoring Certificate errors” to “Disabled”. Now the “Continue to this website (not recommended)” Link should show up.
5. Navigate to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer ->Internet Control Panel -> Security Page
6. Set “Site to Zone Assignment list” to “Disabled”. This will allow you to modify the trusted list.
7. Open your IE and enjoy the freedom.

Friday, August 13, 2010

Open command windows here (DOS is Here)

It would be very handy if you can open a dos command window in the folder that you are currently borrowing by right click the folder icon. Windows 7 does provide this function, but it is kind of “hidden”. You have to press the Shift key, in the meantime, right click the folder icon, you will see the “secret” option “Open command windows here”.


How about Windows XP?

No, no secret option here, however, you can use registry key. Here is the code:

************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\shell\DosHere]
@="Open command windows here"

[HKEY_CLASSES_ROOT\Directory\shell\DosHere\command]
@="C:\\windows\\SYSTEM32\\cmd.exe /k cd \"%1\""

[HKEY_CLASSES_ROOT\Drive\shell\DosHere]
@="Open command windows here"

[HKEY_CLASSES_ROOT\Drive\shell\DosHere\command]
@="C:\\windows\\SYSTEM32\\cmd.exe /k cd \"%1\""

*************************************************
Copy and paste to your notepad; save it as a .reg file; then double click the file to import it to the registry table.

That’s it! You'll get this:


Enjoy!

If you don't like it, here is the uninstall code:

***********************************************
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\Directory\shell\DosHere]
[-HKEY_CLASSES_ROOT\Drive\shell\DosHere]

***********************************************
Save it as a .reg file and run it. Just be sure you run it as an Administrator.