Monday, September 20, 2010

Binary Planting Attack Vectors

There's more than one way to skin a cat... or plant a binary, for that matter.

There seem to be differing views among IT professionals on how easy or difficult it is to actually mount a binary planting attack. Microsoft's Jerry Bryant, for instance, was quoted saying: "Due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as Important," possibly referring to this attack example. On the other hand, Aviv Raff prepared a demo page for exploiting the (now fixed) uTorrent binary planting bug via Google Chrome (see video), showing how users can be tricked into a binary planting trap without any warnings. Attacks using USB tokens and CD/DVD media were discussed (which are quite feasible), and many researchers are convinced that binary planting attacks are fairly easy to mount. Our own experience in penetration testing confirms binary planting to be currently one of the most efficient and reliable methods for obtaining remote access to workstations in target networks.

Our team has done an analysis of many different delivery methods for binary planting attacks, providing a hopefully more comprehensive view on the feasibility of such attacks. We looked at some of the most popular web browsers, most popular e-mail clients and most popular document readers, trying to use them as delivery mechanisms for binary planting attacks.

Both Microsoft's and Raff's scenarios are included in the analysis along with many others. We've also provided a couple of demonstrations that you can test for yourselves and see how/if they're working for you. (Combine these with our online binary planting test to demonstrate the issue to your customers and friends.)

Some interesting findings:

  • Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users.
  • Clicking a link to a remote shared folder in an e-mail message will open this share in Windows Explorer without a warning for all Outlook, Windows Mail and Windows Live Mail users, regardless of their default web browser. (E-mail is the most likely vector for targeted attacks on corporate and government networks.) 
  • In contrast to Internet Explorer, we found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive (e.g., attacker sends an HTML file to the user via e-mail.)
  • The Protected View makes Word 2010 and Excel 2010 less suitable for binary planting attacks, as documents originating from Internet or received via Outlook require the user to confirm a security warning before hyperlinks are enabled. 
All in all, it appears that most  attack scenarios don't include any security warnings. Users should therefore be careful when opening any hyperlinks - not just on web pages, but also in e-mail, documents and IM messages.  

See the Binary Planting: Attack Vectors analysis and find out how you can be attacked.

Click to see if you're exposed to remote Binary Planting attacks