Wednesday, October 2, 2013

bgp route injection == sick recon??

Short n sweet for this post, but I've got one brewing that I think will be pretty good, so stay tuned.  This is just some random food for thought...

So yea, bgp route injection is old news, but that didn't stop issues from coming back later.

I got thinking about this because I was talking to a buddy who runs networks at a company that got popped by everyone's favorite actor(s), Annoying Pwnage Terminators.

If you've ever been on the receiving end of their work, you might've been amazed at the sophistication of the recon.  Spearphish emails are just perfect mimics of the way legit ones look, and after they're in they don't seem to spend nearly as much time searching around for things as your avg pen tester.

The speculation I've heard is that this is due to the fusion of cyber milspec teams, college students, and state intel agencies.  That intel part must account for the uber-recon, right?

Well my buddy mentioned that sometime before the known start point of the breach, there was a route injection event that lasted a small amount of time, and originated from Asia.  He claimed that there was no traffic rcv'd back during that time, so basically packets from his org just routed out to some black hole in asia.

That bit got me thinking...  If you targeted bgp route injection like that, just what exactly would you end up getting from your victim??

The data would be somewhat limited if you weren't sending back ACKs for their push packets, but you could still grab some significant info:

- internal DNS
- internal IP
- email contents
- usernames
- cookies / session id's
- hashes / passwords
- etc??

So armed w/ my theory, I hit up another buddy who works in that space for a living and laid out my theory.  I can't lie, he sounded underwhelmed and didn't seem sold on the idea.  But it still seems interesting, so I figured I'd share.

Dan says there are crazy forensics on bgp injection history, but I think the attack my buddy experienced was from some local asian link (that was connected via mpls or whatnot to the rest of the network), so I'm not sure that type of injection would be captured by the logs.

Anyway, if you do business in that region, and if you've been popped by those crews, and if you can confirm that you saw route injection prior to the attack, feel free to drop me a note and I'll give anonymized updates here.

Until next time, have fun n keep hackin :)

Wednesday, August 21, 2013

late summer smash up

if i don't slam this thing together, i'm just not gonna write it, so here we go.

// PREFACE
(last post was sooo off... as always, your mileage w/ my speculation n theory may vary ;)

// GETYERHEADRIGHT

// OPENING
Gotta start w/ saying I luvz my prez...  just do, that's all.


// SNOWDEN
What a cluster...  The admin is historically pretty hard on whistleblowers, so the way things have played out can't be called a complete surprise.  I think there may be a missed opportunity, b/c it seems like answering the father's request to allow Snowden to remain a free man until his trial was a win/win situation for all.  Try to remember how he's being debriefed by our BFF Mr Putin when you try to work out your argument against that one....  More on the guts of that story later.


// MANNING
The same way you might argue that the Snowden whistleblowing could've (mayyybe) advanced the speed and substance of the discussions about NSA inet spying stuff...  Well maybe Manning advanced the US public's willingness and desire to move away from the two wars we were in.  I know we're peeved he leaked stuff, and wikileaks published stuff, but trying to contain information leaks by punishing the leaker or whistleblower seems like trying to hold water in your hand...  And there was a lot of loose talk about how this giant leak was going to cause terrible amounts of damage, but we're a long way down the road and I'm not seeing the chaos and harm to America so clearly atm...  The world learned a lot of interesting information, and other than the extreme fuck-up of publishing completely unredacted information at the outset (endangering individual lives), it seems like maybe that hasn't been a terrible thing.  Maybe his punishment can be somewhat lightened if you take into account that his actions may have saved lives in a roundabout way...  maybe...  maybe not.  who knows.

I know this guy didn't make it either way...


// HEAT DEATH
Chilly war times seem to be back...  I've heard there are people who see the current 'instability' in Egypt as 'good'...  I cannot comprehend it.  But maybe we should just smile and nod while Saudi tells us to chill while they support the re-installation of the prior egyption regime.  You know, it's just like Bahrain or something...?  I know energy and money and middle east politics are complex, but I still want to believe that core US principles don't waver for those things...  Booooo :(

I heard there are signs that maybe economic aid may be used as a lever...

There are so many low boil conflict zones w/ ethnic issues and poverty that are just ripe for chilly war badness.  Booooo...  If you want to make some blood money w/o the diamonds, invest in your military industrial complex corps for future returns.  Booooo  :-\


// MICRO-MANAGING THE LAW
Corporations are people, my friend.  But for some reason, corps are allowed to do just crazy ass shit.  As a corp, you can get thousands of chickens or turkeys and lock them in a dark room, and pump them full of steriods so they are mutated and couldn't survive outside...  Or you do genetic bioresearch and imitate nature the way a child imitates an adult driving a car... :-\  You can treat those thousands of birds so bad that they go bald from stress, and that's one of the least gross side effects of the way we're making our food today...  crazy...

But if you're just a person, then slowwwww down there partner....

If you own 20 cats, the authorities might just kick down your door and take your animals and take you to court.

Do you want to mix some common household chemicals into a fun little concoction?!?  Well, enjoy maybe being a felon and serving the prison industrial complex forever.  Just google around a little and you can find examples of people having fun with some relatively harmless blowing shit up and being charged with a variety of crimes even up to 'weapon of mass destruction' concerning 'bombs' like mentos in coke bottles.  serious post 9/11 use of police resources, indeed.  some work has been done documenting the disturbing trends in police militarization.

Hate to use the same source for two links, but the rabbit hole goes pretty far in terms of corps being not quite as limited as traditional people when it comes to tinkering with things.

Side note, is the problem here that he had a GPS jammer, or that the airport doesn't use more advanced jamming resistant systems?


// TIN-FOIL HAT ZONE
Alright, sorry, I have to drop by and derp some derp... derp...

Ok, there have been a number of odd plane crashes and emergency incidents.  A lot, but not all, have been Boeing aircraft.

I'm not sure I've heard that any of these incidents couldn't have been caused by computer issues... eek :-\


// TECH MOVES ON
Moving right along, that's what technology is doing in our lives...  And holy crap, you can't validate bitcoins like that or you'll make them into real things! And HOLY CRAP, didn't I see that in COD:BLOPS2?  It seems too easy and unlikely to be legit, but who knows...?  And the best for last, 3d printed food sounds AMAZING!!  (ok, I'm sleep deprived, but srsly the idea of using any type of protein is nifty...)  And wherever there's tech, you know the mil-spec cats are already there...

Oh, tech moves on unless you're at the FSO...


// ZOMG NSA LINKAGE WARNING
Alright, here we go..  The first I heard of this came after the Boston bombings when the FBI admitted they could reconstuct phone conversations back in time, which sounded kinda odd...

Then Snowden came out and claimed responsibility for leaking info about the programs.  At the time, he asked for people to focus on the content, and not make the story about him....  Unfortunately, we probably spent far more time talking about Snowden himself and/or royal babies, rather than talking about the capabilities that the NSA might have, and why they might need those capabilities, and where we might want to draw the line on those types of activities.

It's funny how the companies identified as working with the NSA came out with complete double-speak initially.  They strongly stated to press conferences that they definatively didn't let the government access their servers.  People who understand how some of the tech allegedly works would know that the government could snoop everything with MitM SSL without ever accessing the private servers.  Eventually the story evolved.

And then things started getting silly...  The NSA claimed it was unable to search it's own internal emails, even though they are capable of searching a whole world's worth of emails.

The tough part of this situation is that nothing seems clear.  You have a spook from a family of spooks, who apparently saw some thing(s) so terrible that he had a crisis of such magnitude that he decided to leave his family, and girlfriend, and career, and nation...  And unfortunately, the people who commited the acts that caused him such trouble probably took the very same oath that he did to protect the United States.  So who is really the bad guy here?

What I hear from Charlie (full interview is great!) and others is: working at one of the most secretive places in the world doesn't mean you really know what's going on...  And I believe that.


// THAT'S WHY, SUNSHINE
We aren't protecting the NSA stuff for national security imho.  Well, not in any real logical way.  The terrorists already believe the spooks can do all kinds of crazy voodoo, because their partners in terror are always getting blown up by missles.  That's why the head of AQ was using an IRL courier and living without inet.

We're invoking state secrets because we don't want other nations to know what we can do to them.

But all the other nations are free to (and surely executing on) invest in technology just like the NSA does.  So the strategy of keeping our techniques private probably won't pay off.

I believe the official press conf on the NSA spying stuff included a quote about the 2 leaked programs referred to w/ numeric identifiers "215 and 702".  Ok...  If we're using 3 digit codes here, then is it safe to assume there are at least 10 similar programs instead of two? Or 100?  Or 250?!?  Or what?

Would we really be talking about these programs without a leak?  It's hard to see it.

So just put sunshine on all the stuff, so the public can decide what trade-offs are reasonable.  I've previously advocated for a number of ways to leverage tech for the greater good, in ways that many might initially find uncomfortable (ie: monitoring all cell phones for gunshots and/or screams of terror).  I believe tech can be leveraged for good, but only when people can see and understand how it's being used.

At the moment, we're seeing violations as we peek under the rug...  And it doesn't sound like a small thing.

But things are not trending toward sunshine, rather towards more automation...  It's like a Bourne movie...  Some things that have been outed will be dismantled, and those capabilities will re-emerge in a new shadowy form with a new code name or number, and things will continue.  Boooooo, cynical :(

Don't get me wrong, I believe there have been successes, but do we know the cost?  For Snowden, it appears the cost may have been high enough to throw his life away in order to try to wake us up...?


// DIG FOR DETAILS, BUT DON'T FALL IN
There have been some unusual and odd theories running around about Boston.  I am not getting spun up in conspiracy theories, but I see an interesting side thought.  In the modern day and age, how difficult would it be to plant images in legit journalist HDDs and web sites, in order to manufacture a meta-conspiracy...  You could then point the internet investigators in the right direction, and stand back while they do your work to propogate the story you planted...  crazy, right? :)

So let's talk tech instead.  If you controlled all of the major inet links for a nation, and if you had SSL MitM for most connections...  and nearly unlimited tech and resources...  In my imagination you could create a sensory deprevation tank capable of control and influence that is far more insidious than the controls described in 1984.  An individual could be put in a virtual reality-distortion tank.  Communications inbound and outbound to that person could be influenced in real time.  The subject could be isolated and influenced to communicate with the 'right' people by letting some calls go to voicemall, and delaying texts and emails.  Their web browsing could have dynamic content injections to control their thinking.  Their steaming music streams could be hijacked to influence their mood.  Their computer could crash and act against them at the times to cause maximum disruption.  The sky is the limit when you're imaging the modern capability set...  Some people are starting to understand.


// WE ALL MAKE OUR CHOICES
I recently hung out with 5 cool cats who are part of the 中華民族, but didn't seem like typical 華夏族.  They were very nice to me, and I enjoyed chatting them up, and I learned some cool stuff.  Anyway, they told me that in China, you can't even get to YouTube...

They might've been decent with computers, and I wish I'd had the presence of mind to remind them that the 金盾工程 is reportedly not too difficult to bypass.  And I hear there *might* be some hackers in China... ;)

So then the question becomes, do people who have powers that others don't have bear a shared responsibility for not using those power to help the people who don't have them...

If you can help people like you have basic freedoms that they don't have today, do you owe them that?

If you are drafted into servitude to enslave your brothers, is there really no way you can act to do what you think is right?  Where and how do you decide what you will do to be proud when you see yourself in the mirror?


// WHO ARE YOU?
It seems like I'm not the only one thinking this way...  Take a look at how those crazy scary Anonymous cats used their power FOR GOOD!  And it isn't just a one time thing, they are kinda like that special drop box the SAS has, but they HELP police solve crimes on the side instead of killing people ;)  I've got a good friend who has been concerned about how hacker geeks treat women at conferences and in the office and such, and I guess I think Anon has really stood up w/ these actions on behalf of battered women, so maybe he can have hope...

So does this type of demonstration of power mean that current and future hackers are really becoming a 5th column?  Power grids are shaking, and elites are being called out on BS, and standard quos are being upset.

There will always be things we can't control, but don't we all choose how we add or subtract to this world?  Are we cogs in a machine that enable oppression, or are we the ghosts and gremlins that upset the general order and disrupt how those machines operate?


// ONE FOR THE ROAD
Just a parting shot/thought...  is this what it looks like when you let guys with computers tell guys w/ missles and guns where people are?  Tragically breathtaking...


// PEACE

Sunday, February 10, 2013

Threat Assessment: Red Cell (Christopher Dorner)

[Background]
I'd call this situation fascinating if people weren't dying.  The Dorner situation provides an examination of the risks presented by malicious insiders.  Dorner seems to be a case-study example of the types of threats modeled by Marcinko with his Red Cell antics.  Since he's been on the loose for 48 hours, it seemed worth a look...

Note: I am not an expert, or a shrink, or anything.  Just throwing ideas out there.

[Source]
Info below based on a reading of the manifesto.

[Capabilities]
Subject has demonstrated a willingness and ability to attack and evade. Given the time available to plan this scenario, it is reasonable to expect the subject has multiple safe-houses available.  Subject will probably employ operational tactics that go beyond simple firearm attacks.

[Counter Tactics]
Given the high level of training and education displayed, specifically the repeated references to effective TTP of adversarial forces, it is reasonable to expect that the subject will employ proactive tactics to maximize his ability to both successfully strike and evade capture. Examples include diversion and subterfuge used in support of primary mission execution, secondary attacks to demoralize operational LEO assets, and tactics that create resource/asset drag on operational LEO assets.

[ISR]
It is reasonable to expect the subject continues to actively employ signals and cyber technologies to perform ISR.  Wherever possible, communication via secure technologies should be employed in order to prevent eavesdropping.

[Current Location]
Until the subject is located or attacks again, it must remain a possibility that he has left the LA area, although this seems unlikely.

While rural locations offer many advantages, and the subject is likely at home in outdoor environments in all weather conditions, there are significant disadvantages to rural locations, such as the inability to avoid observation or scrutiny while traveling quickly.

Hiding in plain sight in a dense urban environment may offer significant advantages, such as access to resources and multiple forms of transit.  Subject is likely to employ disguises to minimize chances for recognition.

[Key Observations]
It seems likely that the subject has ongoing access to local LE and federal cyber resources.  Particular attention should be paid to valid logins coming from the SOCAL area that have collisions with other valid login timings and operating patterns.

Due to the physical size of the subject, he may choose to move primarily at night to minimize observation.

Expect trickery and subterfuge.  The subject believes himself to be in control of the situation, and will attempt to lead LE assets astray to continue operating towards his primary objective.  Don't be too quick to follow obvious paths with all available resources when capture seems likely or imminent.

Expect subject to be armed at all times, possibly with a silenced weapon.  The subject will be dressed in a style that supports a holstered concealed weapon.


[A Note to the Subject]
Don't kill me, bro.  ;)  You laid out that whole "don't even bother to profile me" thing, as if it were impossible.  In your report, you make it clear that your anger is specifically directed at LAPD for taking everything you had.  Unfortunately you're utilizing federal training to take your revenge, so you're betraying the oaths you've taken.  Your mom was correct, sometimes bad things happen to good people.  You are driven to this to regain your name, so the only path forward is to use your skills to escape and evade and build a new life.  You can only destroy with violence, it won't let you build a better reality within LAPD, like you hope it will...


More Modern Governing

I'd been sitting on this post for a bit, and then unfortunately this happened and became a thing...

According to reliable sources, Swartz was driven to abandon hope for his future when he acted like an activist and broke some laws, and was facing 35 years in prison.

In my opinion, this tragic outcome is just another sign of how our government is failing to keep pace with the realities of technology in the modern world.

We have a system where re-elected prosecutors worry about looking soft on virtually any category of crime, and hesitate to make reasonable deals to allow citizens who briefly lose their way to repay a debt to society and move on with a life that is generally unblemished in the eyes of the law.

When convicted of any felony in the US, some of which area easy to accidentally do, one faces a lifetime of punishment.  Abandon all hope of future employment for those who wear the scarlet "F".  And more and more, even misdemeanor convictions can haunt you.

Similarly, a drunken poor decision to urinate behind a bush can brand you as a convicted sex offender for the rest of your days.

We drive people to undesirable outcomes when we ruin the hopes they place on their future lives.  The reason the phrase "paid his debt to society exists" embraces the concept that we want those who lose their way to be able to regain the good path.

And the joke of it is that there is a real problem with digital law breaking in the modern age.  Credit-card and other information theft is generally trivial to accomplish, and there are plenty of people out there living it up with money coming out of the credit card companies and small businesses (who eat costs sometimes).  And the fact is that these people face limited risk of being caught and punished despite repeated or massive abuse.

So when we catch an activist who is clearly not in it for the money, we throw the book at someone who helped create the digital world we love.

The part that is hardest to swallow is that when it comes to generating revenue, it appears that government is all about embracing a new technical world.  My local PD and govt employ automagic ticket writing cameras that must be reaping dividends when they're hitting people for $100+ for every failure to fully stop on a red for a right turn...

And recently I snagged this pic of what appears to be an auto-license plate scanner on a local PD cruiser:

I assume this will make ticketing easier for a variety of infractions.

The executive and judicial branches embrace technology when it comes to putting your embarassing life details on the internet as well.  For years now people on the interwebz have been lulzing at funny mugshots.  Criminal databases are often public, and some states put all court cases online so everyone can know things you might otherwise consider private.

And yet, when it comes time to "re-elect" judges it seems like there is no concept of openness.  It seems rare to find any transparency of why a given decision is made, so you end up with internet articles full of raging outbursts about why someone should've been punished more, or how on earth could someone like this get off so lightly?!?  if a judge is serving in a public capacity, and if my mistakes are open to the world at large, why shouldn't everyone be allowed to access the information behind judicial decisions and outcomes?

There are a lot of areas where technology could have significant impacts on pursuing justice.  For example, it seems likely that cell-phones could be programmed to automatically capture information and contact authorities when they detect gunshots and/or screams via integrated microphones.  This could probably be done in software with checks and balances, and reduction of false-positives (ie: movies).  Some people might consider that an invasion of privacy, while others might point out that it could save lives.

There are a lot of opportunities and choices ahead for all of us in this space...  it's a shame Aaron won't be around to help us build the future.  In my opinion, he should've been fined and placed on probation and allowed to live his life.


Saturday, October 13, 2012

ramblin on, ain't saying nothin

.:[ktxgoogle]:.
so you can use the google safesearch diagnostic to check out what google has to say about the security of a given domain.  nifty!.. n maybe those google cats are a little too honest? ish?


.:[ktxwhatev]:.
it's tough to know what to say about the nsa wiretap case getting dismissed...   nice try eff...

i was talking w/ someone recently who was going on about how there are still significant constitutional barriers between foreign and domestic surveillance... yea, whatever you say...

so here's a shout to a great prank: 



.:[ktxphone]:.

mobile malware is getting pretty crazy creative, at least in the lab ;)  3d maps of whatever your phone can see.  i think there's a lot of potential for stuff in this space...


.:[ktxattackers]:.

i'd be willing to bet this attack exploited a binary planting vuln of some type...  it's nifty how the attacker was probably leaning on the valid sig on the service executable to throw off investigators.  i imagine that the dll was basically just an unwrapper, and the third file maybe had an extension that isn't generally subjected to much attention by av/scanner tools...


Thursday, June 7, 2012

mobility speculation

[preface]
been talking less and doing more, as the decreased frequency in posting might imply...  hopefully i'll have something to share soonish, and will also try to share some good stuff made by other peeps too.  before anything, i want to say that there are giants who've come before me, and if i couldn't stand on their shoulders i wouldn't be able to see or accomplish much at all...  big ups to those who are working, researching, publishing, talking, sharing, and schooling!

a year or two ago 'mobility' was the buzz word to use if you were a security vendor trying to sell some FUD... solutions seemed lacking... i don't hear as much about mobility today, but it doesn't seem like the threat has diminished...

[chess]
so there's this fable about taking a grain of rice, and doubling it for each square on a chess board...  when you get to the second half of the chess board, the numbers just get crazy...  someone pointed out that if you look at moore's law, today we're somewhere around the 30th or 31st square on the board...

this post is about the mobile space taken in that general context...

[mobile]
a couple years back i was lucky enough to kick it in some swank vegas suite w/ a bunch of smart peeps...  we shared drinks and shot the breeze, and it was a pretty good time.  i talked to this cat from berlin who was/is active in the mobile space, and when i asked how long i had until i needed to really worry about my phone, he told me probably 12-18 months...

based on how things have played out since then, it doesn't seem like he was too far off...  the mobile sploit space seems to be quite interesting and active.  looking at the talks given at past conferences, it seems like there are a lot of ways to do a lot of damage...  and what i'm hearing about upcoming cons is that the mobile space is crowded full of people itching to talk about how they can pwn your phone.

[target space]
mobile seems like a great platform to attack for a number of reasons:

- ubiquitous coverage: phones are almost everywhere you go
- limited target platforms: android, iphone, ... umm... ummm... something else?
- reliability: phones are pretty much always on, and always connected
- flexibility: phones can communicate across so many channels...  sms, direct tcp/udp over 3g/4g, http, etc....
- ignorance: most ppl have no idea what's going on w/ their desktops, laptops, and servers...  visibility into phones is significantly worse

- uncleanable!: not like there are many tools at your disposal to clean your phone...  but try this out for fun...  back up your contacts and whatever, and then 'factory reset' your device...  well, i haven't tried an iphone, but on android...  well, you might notice that after the reset your phone *did not* go back to the state it was in after you bought it.  all those software updates your provider pushed remained in place even though all the trivial user stuff was reset.  this means that the memory that stores that 'good state' is writable.  if someone roots your phone, it doesn't seem like anything is preventing them from writing their pwnage there, and thus gaining persistence on your mobile platform... ug!

[so wtf are you talking about?]
just rambling about mobility attack and defense...  so here are a few ideas about how you could use mobile platforms in ways not intended by mobile carriers; first some simple ones, and then some that are maybe more complex...

[simple mobile attacks]
- surveillance: i pwn your phone, and now i know a *lot* about you...  i can listen w/ your microphone, so i know what you're saying, and who you're screwing.  i can take pics n vid w/ your camera(s), and even though that's usually just the inside of your pocket, i can still get a lot of good stuff if i'm persistent or if i use programming to watch for changes before i capture anything...  so i know where you go, and what you do, and who you talk to, and all that good stuff....

- blackmail: since i know all that stuff, and since you have plenty of vices and secrets and lies in your life, i can blackmail you pretty easy...  well, most of you ;)

- virtual theft: hey lookit, you use your smart-phone for all kinds of things...  i can keylog and get all kinds of passwords and such, and abuse you w/ all of that...

- spam: i use your connectivity to send my messages, and since ppl believe and click that shite, i make $$$...

[complex-ish mobile attacks/capabilities]
- research foo: some peeps are talking about using mobile phones as mass detection and reporting platforms...  including simple sensors and things like that to enable near-real-time detection and reporting...

- physical/IRL theft/crime:  since i can watch and listen and track everything someone does, it makes crime wayyyy easier.   looking through your calls and txts let's me konw who you interact with, and who you live with.  i can find their numbers and pwn them too.  then i can wait until you're all away from the house somewhere far away, and maybe even wait until your neighbors aren't around too (or are sleeping, or are otherwise distracted) and then rob your house

- area surveillance:  imaging you're the criminal above, or maybe some type of operator on a secret mission...  by monitoring all the phones in a given location, you can get an idea of whether or not anyone heard you break that window, or whether they are calling the police.  you can know what the people around you are seeing, hearing, and thinking...

- covert signal piggybacking for anonymous comms:  ever see one of those videos demoing how you can spoof a cell phone base-station and intercept the comms of any nearby phone?  well in theory it seems like you could do the same thing but be way more passive about it.  it seems like you could captivate all local devices and then use a communication protocol that is capable of packetizing a communication stream and splitting it across multiple channels to arrive at the same destination.  by sending your signal chopped up across multiple devices, it could be very difficult to trace back who originated the signal...  it might not be optimal for two-way communications (although that might be possible), but for a single directional xfer, it should work nicely.  one could imagine purpose built devices with a wireless antenna and ethernet jack that allow a person in an environment with an oppressive regime to communicate freely by hitching a ride on the signals of nearby mobile devices...  many governments (both oppressive and freedom loving) are investing in reducing the ability of average citizens to communicate anonymously.  if a session could be parsed and split across multiple carriers and multiple connections, it seems that would become significantly more difficult to track and suppress....

[solutions]
i haz no great ideas on how to make better software...  but as far as i can figure, one potential solution for improving mobile security is for phones to include physical switches/toggles that act as kill switches for given services.  flip switches on your handset to activate/deactivate things like 3G, camera, microphone, gps... this simple idea would at least give consumers and phone owners the power to feel relatively confident that phone features aren't being used if they don't want them to be...  yes, the idea is pretty simple and lame, and no it will probably never happen...

Monday, October 3, 2011

'confused deputy' persistence mechanism: binary planting

so this is not a new idea really, but mb worth a little thought/exploration...

most of the recent-ish binary planting research seemed to focus on remote code execution attacks. but sometimes you don't need remote root.

some ppl say this attack is old news and lame, but then other people say 'whatever lands me shell'... binary planting came up in the adaptive pentest talk at DerbyCon, and maybe even Mitnick is using it (as also mentioned in a Derby talk). so whether or not you think it is lame, it appears ppl are using it.

a few weeks back i was digging around w/ binary planting in terms of priv escalation (which coincidentally got kicked around on FD recently)...

if you don't need CWD to win, then the set of potential DLL load attempts changes a bit. lots of apps run on boxen out in the world run w/ elevated privs, so maybe there's something to leverage there. specifically pretty much any DLL load attempt that doesn't find a target could be interesting. but even back on XP the default file perms and the landing place of most DLL loads limits the attack surface available to a non-admin user. so i kinda walked away from priv escalation w/o much success.

but maybe you've got root on a box. now you want your code to persist and exec through reboots. being tricky and hiding can be nifty, but hiding in plain sight can work too. home users don't pay a bunch of attention or have a ton of knowledge, and big environments are often resource constrained and no where near tracking detailed state on their endpoints (integrity checking, etc).

when you're digging for someone hiding under those conditions, sometimes you want to check machines for ways they automatically exec arbitrary code. so you dig through the registry and some folders, and look at core system files... and, well, it's kinda a lot of work...

so after i re-read some of Nick Harbour's thoughts on the issue, i think he already covered this pretty well, and really alluded to the potential magnitude and complexity of this situation...

but i guess i'll add a couple thoughts. first off, Nick seems to mostly consider the issue within the OS realm, but in IRL situations deployed apps give a much larger potential surface. and like the Acros peeps point out in some of their research, there are a number of DLL loads which are pure misses (ie: the DLL doesn't reside on the system, but the system is running fine). if you're search-order hijacking a core system DLL, an investigator can hone in on duplicate DLLs, or maybe where a stub is calling the other DLL to maintain required system functionality.

but a casual review on win7 and winXP found a number of 3rd party apps that miss on calls to non-existant DLLs during normal operation. if you're hiding on a box which is regularly used by a user, there are plenty of opportunities to maintain persistence (often) without going anywhere near System32, because the apps used by the user or loaded by system administrators will happily exec correctly named files in the right location (hence the confused deputy). since the system runs fine without the DLLs in the first place, it seems like lots of these apps produce no error messages or other obvious evidence when they call a DLL which doesn't do what it was hoping for... since it's DLL hell already, one wonders how much solid version and checksum information is really available...?

and to loop right back to the privilege escalation issue... in a more modern OS where privilege escalation isn't as easily accomplished, getting your code through a user-initiated MS Office load might get you a non-admin shell where a given priv escalation technique fails. but when exploiting a missed load from a modern commercial AV product and getting a non-admin shell, the same priv esc technique pulls root...? kinda want to research that more... the "Anti-Virus" product remained blissfully unaware that it had been co-opted and was now the persistence mechanism which maintained a compromised state on the victim machine... sloppy DLL loads and no tracking of it's own integrity... go figure.

not every DLL miss is a gem, but the attack surface seems pretty broad after some quick digging... browsers, media viewers, security/privacy apps, productivity apps, backup apps, etc...

the advantage to the attacker here is that the attack surface is broad and murky. app DLLs are generally not as well documented as OS components. there are more versions and less info.

plus if you change the way you look at it, maybe you don't need the code to exec on boot. if the code execs when the user performs an action, or once a week when a scan is run, the end result for the attacker is the same but now the defender has a whole lot more to look for. this isn't really a 'universal' attack method, b/c it is dependant on the app deployment posture of the environment being attacked, but even that becomes an attacker advantage b/c they aren't hiding the same place everytime. and then on the flip-side, in a given org maybe the vulnerable app is widely deployed.

anywho, check it out and see what you think :)