Monday, October 3, 2011

'confused deputy' persistence mechanism: binary planting

so this is not a new idea really, but mb worth a little thought/exploration...

most of the recent-ish binary planting research seemed to focus on remote code execution attacks. but sometimes you don't need remote root.

some ppl say this attack is old news and lame, but then other people say 'whatever lands me shell'... binary planting came up in the adaptive pentest talk at DerbyCon, and maybe even Mitnick is using it (as also mentioned in a Derby talk). so whether or not you think it is lame, it appears ppl are using it.

a few weeks back i was digging around w/ binary planting in terms of priv escalation (which coincidentally got kicked around on FD recently)...

if you don't need CWD to win, then the set of potential DLL load attempts changes a bit. lots of apps run on boxen out in the world run w/ elevated privs, so maybe there's something to leverage there. specifically pretty much any DLL load attempt that doesn't find a target could be interesting. but even back on XP the default file perms and the landing place of most DLL loads limits the attack surface available to a non-admin user. so i kinda walked away from priv escalation w/o much success.

but maybe you've got root on a box. now you want your code to persist and exec through reboots. being tricky and hiding can be nifty, but hiding in plain sight can work too. home users don't pay a bunch of attention or have a ton of knowledge, and big environments are often resource constrained and no where near tracking detailed state on their endpoints (integrity checking, etc).

when you're digging for someone hiding under those conditions, sometimes you want to check machines for ways they automatically exec arbitrary code. so you dig through the registry and some folders, and look at core system files... and, well, it's kinda a lot of work...

so after i re-read some of Nick Harbour's thoughts on the issue, i think he already covered this pretty well, and really alluded to the potential magnitude and complexity of this situation...

but i guess i'll add a couple thoughts. first off, Nick seems to mostly consider the issue within the OS realm, but in IRL situations deployed apps give a much larger potential surface. and like the Acros peeps point out in some of their research, there are a number of DLL loads which are pure misses (ie: the DLL doesn't reside on the system, but the system is running fine). if you're search-order hijacking a core system DLL, an investigator can hone in on duplicate DLLs, or maybe where a stub is calling the other DLL to maintain required system functionality.

but a casual review on win7 and winXP found a number of 3rd party apps that miss on calls to non-existant DLLs during normal operation. if you're hiding on a box which is regularly used by a user, there are plenty of opportunities to maintain persistence (often) without going anywhere near System32, because the apps used by the user or loaded by system administrators will happily exec correctly named files in the right location (hence the confused deputy). since the system runs fine without the DLLs in the first place, it seems like lots of these apps produce no error messages or other obvious evidence when they call a DLL which doesn't do what it was hoping for... since it's DLL hell already, one wonders how much solid version and checksum information is really available...?

and to loop right back to the privilege escalation issue... in a more modern OS where privilege escalation isn't as easily accomplished, getting your code through a user-initiated MS Office load might get you a non-admin shell where a given priv escalation technique fails. but when exploiting a missed load from a modern commercial AV product and getting a non-admin shell, the same priv esc technique pulls root...? kinda want to research that more... the "Anti-Virus" product remained blissfully unaware that it had been co-opted and was now the persistence mechanism which maintained a compromised state on the victim machine... sloppy DLL loads and no tracking of it's own integrity... go figure.

not every DLL miss is a gem, but the attack surface seems pretty broad after some quick digging... browsers, media viewers, security/privacy apps, productivity apps, backup apps, etc...

the advantage to the attacker here is that the attack surface is broad and murky. app DLLs are generally not as well documented as OS components. there are more versions and less info.

plus if you change the way you look at it, maybe you don't need the code to exec on boot. if the code execs when the user performs an action, or once a week when a scan is run, the end result for the attacker is the same but now the defender has a whole lot more to look for. this isn't really a 'universal' attack method, b/c it is dependant on the app deployment posture of the environment being attacked, but even that becomes an attacker advantage b/c they aren't hiding the same place everytime. and then on the flip-side, in a given org maybe the vulnerable app is widely deployed.

anywho, check it out and see what you think :)

Wednesday, July 6, 2011

late spring-cleaning mash-up ramblings

.:[Contemporary Attack & Defense: Lulz Teez Peez]:.

If you can not be kind, at least have the decency to be vague
By 渍 (stains)

soooo, The-State-Run-Attack-Group-That-Shall-Not-Be-Named is pwning all over... and so are plenty of other attack groups... prolly even the most nimble and motivated orgs are working hard to keep up.

some industry statements are so WTF!?!... it can be tough to tell FUD vs ignorance...?

afaik, there isn't a wealth of sharing when it comes to effective defense tactics/techniques/procedures. it is arguably important to protecting some effective defensive TTPs, but certain norms are common and fatal and not often dealt with:

  • admin rights
  • pervasive broad access which often isn't auditable, much less monitored in near real time
  • feeble patching policies
  • laughable vendor-"driven" "remediation" via "anti-virus" "quarantine"
  • virtually non-existent internal segmentation
  • weak controls and non-existent near-real-time visibility on egress flows
  • virtually no control or integrity concerning the processes and executables on systems across environments large and small

imho, lulzsec gets a +1 for doing the world the service of unignorably highlighting the fact that 'dedicated attackers' can kick a lot of our asses in no time flat. some might be uncomfortable w/ that fact, but how can you ignore it? that hackolution was just tweetivized... ;)

.:[Balance in the Waves of Attack & Defense: Frivolous Musings]:.

It may be that your sole purpose in life is simply to serve as a warning to others
By 士松 (Shisong)

improvement in attack has been exponential while defense has been linear...

  • tons of excellent education opportunities
  • glamorous pen-test consultant lifestyle
  • top-tier exploit r&d shops for ninja
  • howto? take your pick: app attacks, social eng, os attacks, rented attacks, etc
  • multiple state & independent movements w/ differing and/or overlapping agendas/motivations
  • wide variety of white/grey/black profit opportunities

  • vendor hell
  • academic & CEH/CISSP ivory towers
  • individual security controls have limited effectiveness and are generally "expensive"
  • some reversing crews understanding and/or combating modern malware
  • a few outspoken 'mainstream' (?) voices (Herzog, Kaminsky, Potter, etc) continue to press to improve on the status-quo clusterfuck known as "defense-in-depth"
  • listening to environments and effectively processing data quickly into simple relevant information is arguably a key weakness

defense needs improving if just because it is significant commitment and work to try to effectively secure a small simple environment...

my shameless but short-winded manifesto(*) on maybe improving defense:
  • K.I.S.S.
  • intimate knowledge of what/why you permit & deny the rest
  • work w/ what you have (free-ish) first
  • push security roles and accountability to existing accountable admins, not to security orgs that shadow the IT org
  • get good at effectively parsing vast datasets into actionable and relevant information

(*): please note that the author does not claim to implement any of this effectively

as for long term improvement, gotta say +1 to mudge for highlighting the need for simpler execution environments in his shmoo keynote.

.:[Future IRL Attack & Defense: Reflections & Predictions]:.

(All assets, when misunderstood, become liabilities)
By 欣侑欣侑欣侑欣侑 (Xinyou/Urges Joyful)

.:[+]:. years ago while reading "Secrets & Lies", i was struck at the insight that inet crime mimics many aspects of IRL crime but w/ certain restrictions removed (geographic proximity, repeatability, etc)... so if IRL crime influenced inet crime, could the inverse happen? perhaps the pervasive access to knoweldge as well as the ability to acquire virtually any required component may someday empower independent sophisticated IRL attack groups in accomplishing awe-inspiring feats of IRL crime... and/or vigilantes?

.:[+]:. the deep integration of technology into the fabric of society will inevitably breed and empower a somewhat anarchist element which will not respect borders, governments, and various bothersome restrictions... a class in society which picks and chooses whether or not to follow certain norms and rules, and could perhaps literally open doors which are closed to the average person...


(Happiness is not everything, people have a responsibility)
By 文佩齊華 (Wen Peiqi China)

.:[+]:. doing stuff beats talking about it... so hopefully you all will hear less from me ;)

.:[+]:. to sslvis users: legit or malicious, you keep killing my terrible inefficient kludge back-end "app"... by... using the app :) i'm honored to have so much participation!!! tons of features could improve the app, i will try to make some progess after the next major milestone on the current project... yes, i know it's been over a year since the craptastic alpha was released, sry i am full of the suck :-\

.:[+]:. greetz & respect to all the amazing attackers & defenders i've been honored to share proximity with in the aether... i'm trying to keep up w/ school, but there's ppl setting a wicked pace on all sides!

.:[+]:. and thanks for reading along, and also for the comments... was getting a lot for a while, but they almost all included sketchy links so i mostly managed to keep them un-posted despite a few that slipped through ;) but i enjoyed reading them, so super belated greetz (in no specific order) to the peeps published and/or quoted as well as: 欣侑欣侑欣侑欣侑, 王辛江淑萍康, 楊愛惟, 色情成人卡通漫畫圖, MinB2139, 惠邱邱邱邱雯, 靜錢錢錢怡錢錢錢錢, 阮艳, 文佩齊華, 敬周喜, 嘉王偉, 陳佑發, 佳皓佳皓, 盈廖生家秀蔡, 吳婷婷, 雅莊王edgd春2蕙婷余惠其, 筱婷筱婷, 峻龍, 怡潔怡潔, 慶天慶天, burtong, 林尹, & 秀葉 :D

(There is no dead-end road, there are no insurmountable difficulties, there is no enemy to fight who is undefeated)
By 楊宜婷俊嘉 (Yang Yi Ting handsome fine)