Thursday, June 2, 2011

COM Server-Based Binary Planting Proof Of Concept

[Update September 19, 2011: Windows update MS11-071 breaks this proof of concept by removing the deskpan.dll registry reference. It thus no longer works but can still be used as a learning reference.]

For educational purposes we decided to publish a proof of concept (PoC) for the COM Server-Based Binary Planting attacks described in our previous post. We prepared both online and offline versions for 32-bit Windows XP running Internet Explorer 8.

Online Proof of Concept

Visit \\www.binaryplanting.com\demo\XP_2-click\test.html (with Internet Explorer) and follow instructions. You must have WebDAV communication with the Internet enabled and must not have the CWDIllegalInDllSearch hotfix installed.

Offline Proof of Concept

Download a ZIP archive of the PoC here, extract it and follow the instructions in readme.txt. You can test the PoC either from a local network share or locally on a single Windows XP machine.


Conditions And Potential Weaponization


Note that this is a proof of concept only, not a weaponized exploit. The reliability thus depends on a few factors:

  1. You have to be running Internet Explorer 8 on 32-bit Windows XP (although it probably works on IE 7 too). A weaponized exploit could automatically detect user's Windows and IE version and provide an exploit for 32-bit and 64-bit XP, Vista or Windows 7 accordingly. 
  2. You have to have "Show common tasks in folders" selected under the "Folder options" in Windows Explorer. (This is the default setting.) A weaponized exploit could use various attack vectors for different user configurations.
  3. The automatic COM Server launching process in relation with special folders is largely undocumented and can be unpredictable. A weaponized exploit could initiate various special folders-related activities for further improving the reliability.
  4. The SMB-to-WebDAV fallback takes a while (usually 10-15 seconds in our tests) and our PoC requires you to wait. A weaponized exploit could initiate this communication in the background while the user was reading an interesting text from the web page.

You're welcome to follow our research on Twitter.