Remote Binary Planting – An Overlooked Vulnerability Affair presented at HITBSecConf Malaysia 2010

by Mitja Kolsek (ACROS Security),

Tags: Exploitation

URL : http://conference.hackinthebox.org/hitbsecconf2010kul/?page_id=1054

Summary : The binary planting vulnerability, although documented for over a decade, remained overlooked by researchers and developers alike – until now. Our research hopes to put it in its rightful place on the “top 10” lists where it seems to belong. Binary planting is an attack method where an attacker places a malicious executable on a local or network drive – possibly on the Internet – from where a vulnerable user’s application will load and execute it. The main enabler for this attack is the fact that Windows include the current working directory in the search order when loading executables.

In order to perform the research, we developed a tool for monitoring how applications set their current working directory and how they load their binaries. We launched the tool against more than 200 leading Windows applications. The results were surprising: almost every one of them was vulnerable to remote attacks. More than 520 vulnerabilities we discovered in these applications amount to roughly 100,000.000,000 (yes, that’s a hundred billion!) holes in existing computers worldwide.

In many cases, the malicious binary is loaded immediately after a user double-clicks a remote document, which we dubbed a “double-click-bang” effect. (Such bugs can easily be turned into worms.) Live attack demonstrations for various types of these vulnerabilities will show how easily exploitable many of them are.

We will show how Windows Explorer and most of the leading file management alternatives make it easier to exploit these bugs, and explain why Microsoft can’t implement any quick fixes to eliminate them without breaking many existing applications. Apart from collecting binary planting bugs, our research aimed to discover the root causes of their existence. We will show the common mistakes developers make to introduce binary planting vulnerabilities in their products, and try to explain why they make them. We will also see how an application can become vulnerable when ported to another Windows platform.

Finally, developers in the audience will get tips for avoiding or fixing binary planting bugs in their code, and users will learn what they can do to protect themselves.

Mitja Kolsek: CTO