Monday, August 23, 2010

Binary Planting Update, Day 6

As some of you may have noticed, the world of Windows applications is looking at some bumpy times. Six days ago, our company ACROS Security has published an iTunes security advisory, describing what we called a remote "Binary Planting" vulnerability. This vulnerability allows a remote attacker to place a (preferably hidden) malicious DLL on a network shared folder alongside a media file, and when users open this media file, the DLL will get silently loaded and executed by iTunes. We also published two similar vulnerabilities in VMware Tools in April. Which is all nice in and of itself, speaking as a researcher.

However, there's more jewelery stored in this particular chest. Our company has been conducting an in-depth research on this type of vulnerabilities since November 2008. We first developed a tool for detecting these bugs and then, time permitting, subjected about 220 widely-used applications to the powers of our tool. Initially expecting only a few bugs here and there, we were surprised to find about 90% of the applications vulnerable. And when I say "vulnerable", I mean vulnerable to remote execution in a real-world scenario, without having any privileges on the user's computer. In December 2009, we applied for a patent on many different methods for detecting this type of vulnerability.

Earlier this year, we informed Microsoft about our research, which allowed them to prepare for the publication and possibly provide some solutions for the affected users. And judging from our research results, there will be quite many affected users - we can safely say that all Windows users can at this moment be attacked via at least one remote binary planting vulnerability.

Now, unsurprisingly, we were not the only ones researching this area. Hours after our publication of the iTunes advisory, our respected peer HD Moore disclosed the existence of about 40 so vulnerable apps that he found. While we weren't planning on releasing our research until the end of August, HD accurately Tweeted that "the cat was out of the bag", so it was time for us to disclose some information as well. Which produced news articles here, here and here, among others.

Today, academic researcher Taeho Kwon also joined the party with the research paper he and Zhendong Su have published earlier this year. Their paper mentioned a couple of vulnerabilities of the "remote binary planting" type, i.e., where the malicious binary is loaded from the current working directory, allowing for a remote, even Internet-based attack. In the above article, Kwon claimed to be in possession of 19 remotely exploitable vulnerabilities, and there's no reason not to believe it because they have proven their ability to find them. However, it would be wrong to think that over 1,700 "unsafe DLL loadings" mentioned in their paper allow for remote exploitation - in fact, most of them seem to require local administrative privileges for exploitation. That said, Kwon and Su have done a great job and a very thorough research, and can prove to be an important source of concrete Binary Planting vulnerability information in the weeks (months) to come.

Finally, why do we call it "Binary Planting" if it's an old bug that's already been named "DLL preloading", "Unsafe library path", "DLL spoofing" or, to some extent, "Vulnerable dynamic component loading"? The main shortcoming of these names is the fact that the same problem affects not only the libraries but also executables such as .EXE and .COM files. Our upcoming research paper will provide more details and will hopefully justify the new name.