Presentation Title Binary Planting – First Overlooked, Then Downplayed, Now Ignored
You’ve probably heard by now that most Windows applications on your computer are willing to silently download and execute malicious code from an Internet server? While known for over a decade, this vulnerability class remained overlooked by researchers and developers alike – resulting in more than 520 remotely known exploitable issues in over 200 widely-used applications, and counting (other researchers have added another 200 products to the list). The malicious exploitation has already begun: Stuxnet is using binary planting for persistence and propagation, and others are following suit.
Binary planting (subset of which is also called DLL hijacking, DLL preloading and Untrusted library loading) is an attack method where an attacker places a malicious executable on a local or network drive – possibly on the Internet – from where a user’s vulnerable application will load and execute it. The main enabler for this attack is the fact that Windows include the current working directory in the search order when loading executables.
In order to perform the research, we developed a tool for monitoring how applications set their current working directory and how they load their binaries. We launched the tool against more than 200 leading Windows applications and the results were surprising: almost every one of them was vulnerable to remote attacks.
In many cases, the malicious binary is loaded immediately after a user double-clicks a remote document, which we dubbed a “double-click-bang” effect and can be easily used for creating new worms. Live attack demonstrations for various types of these vulnerabilities will show how easily exploitable many of them are.
We will explain why Microsoft can’t provide an efficient systemic fix for these vulnerabilities without breaking many existing applications, and highlight the serious shortcomings of the existing official remedy that leave most computers at risk.
Apart from collecting binary planting bugs, our research aimed to discover the root causes of their existence. We will show the common mistakes developers make to introduce binary planting vulnerabilities in their products, and try to explain why they make them. We will also show how an application can become vulnerable when ported to another Windows platform.
Finally, researchers in the audience will learn how to use free tools for detecting binary planting bugs, developers will get tips for avoiding or fixing these bugs in their code, and users will learn what they can do to protect themselves. In addition, the most current findings, including better exploit vectors for binary planting bugs, will be presented to the audience.
About Mitja Kolsek
In over 12 years of security addiction, Mitja has perforated an array of business-critical products, computer systems and protocols by leading software vendors, searching for atypical vulnerabilities and effective ways of fixing them. His passion is security research, discovering new types of security problems, such as “session fixation”, and new twists on the known ones, such as “binary planting”. Mitja is CEO and CTO of ACROS Security (www.acrossecurity.com), an independent security research lab, and frequently writes about the company’s research findings at blog.acrossecurity.com.