Re-Hacking Fixed iTunes and Creating a Binary Planting-Positive Application Without Writing a Single Line of Code
As the Hack In The Box conference in Kuala Lumpur is just around the corner, we'd like to announce a couple of previously undisclosed candies the attendees of our Remote Binary Planting – An Overlooked Vulnerability Affair session will receive.
Re-Hacking Fixed iTunes
As you may know, this binary planting bug in Apple iTunes is famous for triggering the whole DLL hijacking / binary planting / DLL preloading explosion that's been echoing around the Net for over a month now. We released the above advisory when Apple fixed the binary planting bug that allowed a remote attacker to get her malicious QUSEREX.DLL executed on users' computers. The vulnerable executable was AppleMobileDeviceHelper.exe (along with a number of others that also tried to load this DLL). Interestingly, iTunes.exe was already protected with a SetDllDirectory call, possibly as a result of the famous Safari-IE blended threat issue in 2008, where Safari and IE unwittingly colluded against users to execute malicious code on their computers.
Our analysis of the iTunes binary planting fix revealed that AppleMobileDeviceHelper.exe now calls SetDllDirectory as well, which is a good thing. In addition, it doesn't try to load the non-existing DLL any more, adding to the basic security hygiene. All is well in the land of apples and binary planting then, right?
Well... Come to our presentation at HITB and see what "blended threat" really means in this multi-player drama that will likely trigger some 2008 flashbacks. You'll learn that SetDllDirectory isn't always that effective, and see how iTunes.exe feels about it.
Creating a Binary Planting-Positive Application Without Writing a Single Line of Code
For those of you optimizing the number of keystrokes for writing vulnerable applications (we know you're out there), this will be your treat. We'll show how innocent, well-meaning developers can create a binary planting-positive application without writing a single line of code, and without doing anything out of the ordinary. There is a well-known development platform out there that really takes the effort out of insecure coding. And chances are you're using it.
[Update October 18,2010: How Visual Studio Makes Your Applications Vulnerable to Binary Planting]
[Update October 27,2010: Breaking The SetDllDirectory Protection Against Binary Planting]
See you next week in KL!