Subscribe to the RSS feed in case you are interested in updates


After Acrossecurity, published an interesting vulnerability and HDmoore appears to have stumbled on the same issue, I decided to investigate on my own. I am not 100% sure it's the same bug but I am pretty confident. While it is known since years and Microsoft even dedicates a KB article to it, vendors appear to still have issues with using Loadlibrary/Getprocadress correctly.

Above does not show vulnerable examples (i.e the dll is not effectively loaded)

This issue appears to have been first discovered by Georgi Guninski (who else) in 2000, so it is not a new weakness and defensive mechanisms have been introduced into development languages as well as windows itself to mitigate this risk (if properly used)

If I will find more time this week I'll publish more details and backround as to introduce counter measures and checks into your hopefully mature Development Lifecycle.

In summary :
If loadlibrary is not called correctly AND/OR DLL Search path is not hardened opening a file located on a share will lead to DLL files being located on the share and code being executed that is within that DLL. Above is an example of Photoshop.

Until then know that this issue can be mitigated by deploying proper GPO policies that disables searching for DLLs on UNC paths (Documented in http://support.microsoft.com/kb/2264107)

Development Best practises that can protect against this weakness/vulnerability :
Tools to detect said bug class :
Mitigate this particular attack vector through GPO policies:
More information :
    Expect a lot of applications vulnerable to this bug and my title CVE-2010-x+n probably makes sense by now. Another low hanging fruit to watch out for.

    Subscribe to the RSS feed in case you are interested in updates

     Ivanlef0u released a POC for the exploit used in targeted attacks :

    More information :
    Mitigations :

    • Disable display of icons (regedit changes proposed by the MS Bulletin)
    • Use of Kernel mode protection drivers (Ariad, Sophos, etc.pp)


    Callstack:

    kd> g
    Breakpoint 1 hit
    eax=00000001 ebx=00f5ee7c ecx=0000c666 edx=00200003 esi=00000001 edi=7c80a6e4
    eip=7ca78712 esp=00f5e9c4 ebp=00f5ec18 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
    SHELL32!_LoadCPLModule+0x10d:
    001b:7ca78712 ff15a0159d7c    call    dword ptr [SHELL32!_imp__LoadLibraryW (7c9d15a0)] ds:0023:7c9d15a0={kernel32!LoadLibraryW (7c80aeeb)}
    kd> dd esp
    00f5e9c4  00f5ee7c 000a27bc 00f5ee78 00000000
    00f5e9d4  00000020 00000008 00f5ee7c 00000000
    00f5e9e4  00000000 0000007b 00000000 00000000
    00f5e9f4  00200073 002000e0 0000064c 0000028c
    00f5ea04  1530000a 00000000 003a0043 0064005c
    00f5ea14  006c006c 0064002e 006c006c 006d002e
    00f5ea24  006e0061 00660069 00730065 00000074
    00f5ea34  00090608 7c92005d 00000000 00000007
    kd> db 00f5ee7c
    00f5ee7c  43 00 3a 00 5c 00 64 00-6c 00 6c 00 2e 00 64 00  C.:.\.d.l.l...d.
    00f5ee8c  6c 00 6c 00 00 00 92 7c-c8 f2 f5 00 00 17 72 02  l.l....|......r.
    00f5ee9c  4b d2 00 00 d8 f2 f5 00-8b d2 a1 7c 00 00 00 00  K..........|....
    00f5eeac  ac 80 9d 7c 30 d8 0d 00-34 d8 0d 00 b8 d7 0d 00  ...|0...4.......
    00f5eebc  9a d2 a1 7c 30 d8 0d 00-c8 f2 f5 00 50 40 15 00  ...|0.......P@..
    00f5eecc  50 40 15 00 00 00 00 00-b8 00 92 7c 40 b7 0c 00  P@.........|@...
    00f5eedc  a8 ef f5 00 41 00 92 7c-18 07 09 00 5d 00 92 7c  ....A..|....]..|
    00f5eeec  c8 f2 f5 00 00 ef f5 00-00 00 00 00 b8 00 92 7c  ...............|
    kd> kv
    ChildEBP RetAddr  Args to Child
    00f5ec18 7ca81a74 00f5ee7c 000a27bc 00f5f2c4 SHELL32!_LoadCPLModule+0x10d (FPO: [1,145,4])
    00f5ee50 7ca82543 00f5ee74 000a27bc 000a27c0 SHELL32!CPL_LoadAndFindApplet+0x4a (FPO: [4,136,4])
    00f5f294 7cb56065 000a25b4 000a27bc 000a27c0 SHELL32!CPL_FindCPLInfo+0x46 (FPO: [4,264,4])
    00f5f2b8 7ca13714 00000082 00000000 00000104 SHELL32!CCtrlExtIconBase::_GetIconLocationW+0x7b (FPO: [5,0,0])
    00f5f2d4 7ca1d306 000a25ac 00000082 00f5f570 SHELL32!CExtractIconBase::GetIconLocation+0x1f (FPO: [6,0,0])
    00f5f410 7ca133b6 000dd7e0 00000082 00f5f570 SHELL32!CShellLink::GetIconLocation+0x69 (FPO: [6,68,4])
    00f5f77c 7ca03c88 000dd7e0 00000000 0015aa00 SHELL32!_GetILIndexGivenPXIcon+0x9c (FPO: [5,208,4])
    00f5f7a4 7ca06693 00131c60 000dd7e0 0015aa00 SHELL32!SHGetIconFromPIDL+0x90 (FPO: [5,0,4])
    00f5fe20 7ca12db0 00131c64 0015aa00 00000000 SHELL32!CFSFolder::GetIconOf+0x24e (FPO: [4,405,4])
    00f5fe40 7ca15e3c 00131c60 00131c64 0015aa00 SHELL32!SHGetIconFromPIDL+0x20 (FPO: [5,0,0])
    00f5fe68 7ca03275 000f8090 0014d5b0 0014a910 SHELL32!CGetIconTask::RunInitRT+0x47 (FPO: [1,2,4])
    00f5fe84 75f11b9a 000f8090 75f11b18 75f10000 SHELL32!CRunnableTask::Run+0x54 (FPO: [1,1,4])
    00f5fee0 77f49598 00155658 000cb748 77f4957b BROWSEUI!CShellTaskScheduler_ThreadProc+0x111 (FPO: [1,17,0])
    00f5fef8 7c937ac2 000cb748 7c98e440 0014cfe0 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [1,0,4])
    00f5ff40 7c937b03 77f4957b 000cb748 00000000 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])
    00f5ff60 7c937bc5 00000000 000cb748 0014cfe0 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [3,0,0])
    00f5ff74 7c937b9c 7c937ae9 00000000 000cb748 ntdll!RtlpApcCallout+0x11 (FPO: [4,0,0])
    00f5ffb4 7c80b729 00000000 00edfce4 00edfce8 ntdll!RtlpWorkerThread+0x87 (FPO: [1,7,0])
    00f5ffec 00000000 7c920250 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

    Subscribe to the RSS feed in case you are interested in updates


    Thanks @edisoar for the hint: IBM ISS collected information about the researches that discovered and published most Vulnerabilities in 2009 and apparently I am one of them :).

    One should add that XSS was also counted as a vulnerability, would this type of low key vulnerability have been ignored I would have moved up by a few places.


    Some vulnerabilities included on that list can be found here, including Remote code execution vulnerabilies in products from SUN, Oracle, Microsoft, Apple (Iphone). Needless to say that all of those vulnerabilities have been disclosed responsibly adhering to the responsible disclosure guideline.

    Source: IBM ISS


    Subscribe to the RSS feed in case you are interested in updates


    The Independant Games Festival is taking place right now, the Indie games [1] below have been nominated in the category "Excellence in Visual Art" :












    Subscribe to the RSS feed in case you are interested in updates

    Copied from the post over at G-SEC:
    At last. What started as an "I need an overview of best practise in SSL/TLS configuration" type of idea, ended in a 3 month code, reverse engineer and writing effort. I really hope this comes in handy for you and was worth the effort. This is the "Release candidate" version of the paper, should no errors be found it will be the final version.

    This paper aims at answering the following questions :
    • What SSL/TLS configuration is state of the art and considered secure (enough) for the next years?
    • What SSL/TLS ciphers do modern browsers support ?
    • What SSL/TLS settings do server and common SSL providers support ? 
    • What are the cipher suites offering most compatibility and security ?
    • Should we really disable SSLv2 ? What about legacy browsers ?
    • How long does RSA still stand a chance ?
    • What are the recommended hashes,ciphers for the next years to come

    The paper includes two tools :
    • SSL Audit (alpha) :  SSL scanner scanning remote hosts for SSL/TLS support (Video)
    • Harden SSL/TLS (beta) : Windows server and client SSL/TLS hardening tool (Video)
    Without further ado here is the complete package

    PS: In order to know whether this type of publication is useful to some and whether I should spend time on such publications in the future, I would appreciate a heads-up if you find this to be interesting. Thierry

    Subscribe to the RSS feed in case you are interested in updates

    Developed as part of G-SEC's investigation into the "Secure SSL/TLS configuration Report 2010" (to be published) we developed this little tool called SSL Audit. (More to follow in the next days - stay tuned).

    SSL Audit scans web servers for SSL support, unlike other tools it is not limited to ciphers supported by SSL engines such as OpenSSL or NSS and can detect all known cipher suites over all SSL and TLS versions.



    Apart from scanning available ciphersuites it has an interesting tidbit : The Fingerprint mode (Experimental). Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways.

    SSL Audit is able to fingerprint :
    · IIS7.5 (Schannel)
    · IIS7.0 (Schannel)
    · IIS 6.0 (Schannel)
    · Apache (Openssl)
    · Apache (NSS)
    · Certicom
    · RSA BSAFE