Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
On Mon, Sep 05, 2011 at 07:50:51PM +, Thor (Hammer of God) wrote: Excellent points - one slight addition, though: In fact, the Windows Script Host software is mostly used to write system maintenance scripts, so it's obvious its scripts can't be restricted or they'd be useless. Scripts can certainly be restricted based on the account context they are executed under. There is actually plenty one can do with normal user scripts, but as you've pointed out, many of the options admins require scripts for need escalated privileges. This is obviously be design, and it helps to keep admins aware of best practices when choosing to deploy solutions via scripting. There are, of course, many many other ways once can accomplish system maintenance in a more secure way such as WMI, PS (which can require signed scripts) and of course GPO and/or any other number of solutions. I thought it important to outline that since, in my experience with real admins, WSH is actually *not* used mostly for system maintenance per se, but for standard automation. Using scripts to perform actual administrative tasks/maintenance is just a bad idea to begin with. you mean to perform actual administrative tasks/maintenance ``real admins'' just click with the mouse on the platform in this thread? -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Paul, Those file extensions correspond to scripts. If a file contains a script that runs when the file is double clicked, and the scripting engine is not sandboxed (meaning the script can do the same things an executable file can do) then the attack is meaningless. You can simply have the script inside the file do malicious things instead of planting a DLL. Binary planting, regardless of the discussion about it being a vulnerability or not, in any case only makes sense when the file only contains static data, or when the file contains executable code that would normally not have the same privileges as a standard executable file. (A script that doesn't get executed when double clicking on it -for example if a text editor is opened instead- would be the same case as in a data file). I've never used .js or .jse scripts on Windows, but all the other extensions are patently not sandboxed scripts. In fact, the Windows Script Host software is mostly used to write system maintenance scripts, so it's obvious its scripts can't be restricted or they'd be useless. I'm guessing the same applies to .js and .jse then, and of course I wouldn't mind seeing proof that it doesn't. However the links you provided don't really prove anything (the first one even says this is not a complete list, and I admit I've only glanced the second one but it seems unrelated, as it applies to file transfers on Microsoft Sharepoint). Planting a DLL file to be executed at the same time as other executable file is just a convoluted way of doing the same thing. It *may* be used in some strange, artificial situations, but I'm not convinced there aren't better ways to do it, and in any case it doesn't justify an advisory. And judging from what the timeline reads, I believe Microsoft simply ignored this one. I hope my explanation helped :) -Mario On Mon, Sep 5, 2011 at 12:54 AM, paul.sz...@sydney.edu.au wrote: Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Many people commented that the above extensions are executable already, so are (should be) treated with caution, or that they can be trojaned directly without any DLL load shenanigans. However... looking at http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx I do not see JS listed as executable, though JSE is listed. Looking at http://msdn.microsoft.com/en-us/library/ms722429.aspx I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP machine, none of the above extensions are designated. Maybe DLL hijacking is useful for some of these file types, after all? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
lol, the japanese ddosed their children and the official version is they tried to entertain them. the official version appears as fuzzing while not knowing doing so. -- joro On Sun, Sep 04, 2011 at 05:34:00PM +, Thor (Hammer of God) wrote: Something like Pokemon malware would be awesome: http://faculty.washington.edu/chudler/pokemon.html t -Original Message- From: Georgi Guninski [mailto:gunin...@guninski.com] Sent: Sunday, September 04, 2011 9:20 AM To: valdis.kletni...@vt.edu Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking On Fri, Sep 02, 2011 at 05:46:15PM -0400, valdis.kletni...@vt.edu wrote: Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. wouldn't it be more profitable to develop a brain exploit (like what news write)? human brain doesn't seem suited enough for rooted computer output. to my knowledge 25th frame is banned in TV. if someone *releases* (partial) hypnosis malware this might be profitable and change the meaning of botnet. -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
I agree, in some remote scenario this may work, but doesn't justify an advisory. Off-topic: First Insect PRO, and now this? What's happening fellow Latin-americans? our standards are falling. Please behave, this is the Internet! On 09/05/2011 07:33 AM, Mario Vilas wrote: Paul, Those file extensions correspond to scripts. If a file contains a script that runs when the file is double clicked, and the scripting engine is not sandboxed (meaning the script can do the same things an executable file can do) then the attack is meaningless. You can simply have the script inside the file do malicious things instead of planting a DLL. Binary planting, regardless of the discussion about it being a vulnerability or not, in any case only makes sense when the file only contains static data, or when the file contains executable code that would normally not have the same privileges as a standard executable file. (A script that doesn't get executed when double clicking on it -for example if a text editor is opened instead- would be the same case as in a data file). I've never used .js or .jse scripts on Windows, but all the other extensions are patently not sandboxed scripts. In fact, the Windows Script Host software is mostly used to write system maintenance scripts, so it's obvious its scripts can't be restricted or they'd be useless. I'm guessing the same applies to .js and .jse then, and of course I wouldn't mind seeing proof that it doesn't. However the links you provided don't really prove anything (the first one even says this is not a complete list, and I admit I've only glanced the second one but it seems unrelated, as it applies to file transfers on Microsoft Sharepoint). Planting a DLL file to be executed at the same time as other executable file is just a convoluted way of doing the same thing. It *may* be used in some strange, artificial situations, but I'm not convinced there aren't better ways to do it, and in any case it doesn't justify an advisory. And judging from what the timeline reads, I believe Microsoft simply ignored this one. I hope my explanation helped :) -Mario On Mon, Sep 5, 2011 at 12:54 AM, paul.sz...@sydney.edu.au wrote: Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Many people commented that the above extensions are executable already, so are (should be) treated with caution, or that they can be trojaned directly without any DLL load shenanigans. However... looking at http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx I do not see JS listed as executable, though JSE is listed. Looking at http://msdn.microsoft.com/en-us/library/ms722429.aspx I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP machine, none of the above extensions are designated. Maybe DLL hijacking is useful for some of these file types, after all? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Excellent points - one slight addition, though: In fact, the Windows Script Host software is mostly used to write system maintenance scripts, so it's obvious its scripts can't be restricted or they'd be useless. Scripts can certainly be restricted based on the account context they are executed under. There is actually plenty one can do with normal user scripts, but as you've pointed out, many of the options admins require scripts for need escalated privileges. This is obviously be design, and it helps to keep admins aware of best practices when choosing to deploy solutions via scripting. There are, of course, many many other ways once can accomplish system maintenance in a more secure way such as WMI, PS (which can require signed scripts) and of course GPO and/or any other number of solutions. I thought it important to outline that since, in my experience with real admins, WSH is actually *not* used mostly for system maintenance per se, but for standard automation. Using scripts to perform actual administrative tasks/maintenance is just a bad idea to begin with. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
On Mon, Sep 5, 2011 at 7:45 PM, root ro...@fibertel.com.ar wrote: Off-topic: First Insect PRO, and now this? What's happening fellow Latin-americans? our standards are falling. Please behave, this is the Internet! [image: The_Internet_is_Serious_Business - Low.jpg] -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” The_Internet_is_Serious_Business - Low.jpg___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
dll hijacking, so 2010. wtf is this shit, its been a year since this class of vulns became mainstream infosuck. On 09/02/2011 05:59 PM, Mario Vilas wrote: If it's a trusted .vbs then how would you drop a .dll in the same directory? If you have write permissions it's easier to just modify the .vbs. You might as well claim the added value is to backdoor a .vbs file subrepticiously so it doesn't show when inspecting the source code. But it doesn't add that much, really, since a new and misterious .dll file would also draw the attention, so it's probably easier to hide malicious intent into the source code by obfuscating it. On Fri, Sep 2, 2011 at 11:53 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote: List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
On Fri, Sep 02, 2011 at 05:46:15PM -0400, valdis.kletni...@vt.edu wrote: Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. wouldn't it be more profitable to develop a brain exploit (like what news write)? human brain doesn't seem suited enough for rooted computer output. to my knowledge 25th frame is banned in TV. if someone *releases* (partial) hypnosis malware this might be profitable and change the meaning of botnet. -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Something like Pokemon malware would be awesome: http://faculty.washington.edu/chudler/pokemon.html t -Original Message- From: Georgi Guninski [mailto:gunin...@guninski.com] Sent: Sunday, September 04, 2011 9:20 AM To: valdis.kletni...@vt.edu Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking On Fri, Sep 02, 2011 at 05:46:15PM -0400, valdis.kletni...@vt.edu wrote: Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. wouldn't it be more profitable to develop a brain exploit (like what news write)? human brain doesn't seem suited enough for rooted computer output. to my knowledge 25th frame is banned in TV. if someone *releases* (partial) hypnosis malware this might be profitable and change the meaning of botnet. -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
On Fri, 02 Sep 2011 18:05:32 PDT, IA64 LOL said: dll hijacking, so 2010. wtf is this shit, its been a year since this class of vulns became mainstream infosuck. Just remember - NBC advertised its summer reruns as If you didn't see it before, it's new to you... That, combined with the fact that there's always new people entering the field, means we're stuck with a September that never ended scenario. The sad part is that for the people entering Benoit College this fall, it has *always* been September. pgpokloroI30l.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Many people commented that the above extensions are executable already, so are (should be) treated with caution, or that they can be trojaned directly without any DLL load shenanigans. However... looking at http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx I do not see JS listed as executable, though JSE is listed. Looking at http://msdn.microsoft.com/en-us/library/ms722429.aspx I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP machine, none of the above extensions are designated. Maybe DLL hijacking is useful for some of these file types, after all? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Paul, I only run windows on one machine, my workstation in the office, so my results aren't indicative of every system- indeed this may be a quirk of our AD, in which case I'll be talking to one of my colleagues with my friend Mr. Crowbar, but both extensions you list were executable. Admittedly I haven't checked all of the others yet, mileage may vary. Either way there is no accounting for taste; some cases will make this less an attack in and of its self and more will show this as a further social engineering payload, albeit one which requires tricking someone to download several layers of code and still executing it. On 4 Sep 2011, at 23:54, paul.sz...@sydney.edu.au wrote: Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Many people commented that the above extensions are executable already, so are (should be) treated with caution, or that they can be trojaned directly without any DLL load shenanigans. However... looking at http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx I do not see JS listed as executable, though JSE is listed. Looking at http://msdn.microsoft.com/en-us/library/ms722429.aspx I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP machine, none of the above extensions are designated. Maybe DLL hijacking is useful for some of these file types, after all? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.com wrote: ** Advisory Name: Windows Script Host DLL Hijacking Internal Cybsec Advisory Id: 2011-0901-Windows Script Host DLL Hijacking Vulnerability Class: Remote Command Execution Vulnerability Release Date: September 2, 2011 Affected Applications: Windows Script Host v5.6; other versions may also be affected Affected Platforms: Any running Windows Script Host v5.6 Local / Remote: Remote / Local Severity: High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged Reference to Vulnerability Disclosure Policy : http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: DLL Hijacking takes advantage of the way an application dynamically loads dll libraries without specifying a fully qualified path. This is usually done invoking the LoadLibrary and LoadLibraryEx functions to dynamically load DLLs. In order to exploit this vulnerability a user must open a file with an extension associated to the vulnerable application. A malicious dll, named exactly as a dll the apllications loads using the vulnerable function, must be placed in the same directory as the opened file. The application will then load the malicious dll instead of the original, thus executing the malicious code. The following application loads external libraries following an insufficiently qualified path. Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Exploit: Option 1 - Using the “msfpayload” Metasploit module as shown below: msfpayload windows/exec CMD=calc.exe D exploit.dll Option 2 - Using the “webdav_dll_hijacker” Metasploit module. Impact: A successful exploit of this vulnerability leads to arbitrary code execution. Vendor Response: 2011/08/09 – Vulnerability was identified. 2011/08/19 – Cybsec sent detailed information on the issue and a Proof of Concept. 2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on ongoing investigations”. 2011/08/19 – Vendor was informed that the security advisory would be published after 15 days. 2011/09/02 – Vulnerability was released. Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia at cybsec dot com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.com (c) 2011 - CYBSEC S.A. Security Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, September 02, 2011 1:06 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.commailto:cybsecl...@cybsec.com wrote: Advisory Name: Windows Script Host DLL Hijacking Internal Cybsec Advisory Id: 2011-0901-Windows Script Host DLL Hijacking Vulnerability Class: Remote Command Execution Vulnerability Release Date: September 2, 2011 Affected Applications: Windows Script Host v5.6; other versions may also be affected Affected Platforms: Any running Windows Script Host v5.6 Local / Remote: Remote / Local Severity: High - CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged Reference to Vulnerability Disclosure Policy : http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: DLL Hijacking takes advantage of the way an application dynamically loads dll libraries without specifying a fully qualified path. This is usually done invoking the LoadLibrary and LoadLibraryEx functions to dynamically load DLLs. In order to exploit this vulnerability a user must open a file with an extension associated to the vulnerable application. A malicious dll, named exactly as a dll the apllications loads using the vulnerable function, must be placed in the same directory as the opened file. The application will then load the malicious dll instead of the original, thus executing the malicious code. The following application loads external libraries following an insufficiently qualified path. Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Exploit: Option 1 - Using the msfpayload Metasploit module as shown below: msfpayload windows/exec CMD=calc.exe D exploit.dll Option 2 - Using the webdav_dll_hijacker Metasploit module. Impact: A successful exploit of this vulnerability leads to arbitrary code execution. Vendor Response: 2011/08/09 - Vulnerability was identified. 2011/08/19 - Cybsec sent detailed information on the issue and a Proof of Concept. 2011/08/19 - Vendor stated: As a matter of policy, we cannot comment on ongoing investigations. 2011/08/19 - Vendor was informed that the security advisory would be published after 15 days. 2011/09/02 - Vulnerability was released. Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia at cybsec dot com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.comhttp://www.cybsec.com (c) 2011 - CYBSEC S.A. Security Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.com wrote: ** Advisory Name: Windows Script Host DLL Hijacking Internal Cybsec Advisory Id: 2011-0901-Windows Script Host DLL Hijacking Vulnerability Class: Remote Command Execution Vulnerability Release Date: September 2, 2011 Affected Applications: Windows Script Host v5.6; other versions may also be affected Affected Platforms: Any running Windows Script Host v5.6 Local / Remote: Remote / Local Severity: High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged Reference to Vulnerability Disclosure Policy : http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: DLL Hijacking takes advantage of the way an application dynamically loads dll libraries without specifying a fully qualified path. This is usually done invoking the LoadLibrary and LoadLibraryEx functions to dynamically load DLLs. In order to exploit this vulnerability a user must open a file with an extension associated to the vulnerable application. A malicious dll, named exactly as a dll the apllications loads using the vulnerable function, must be placed in the same directory as the opened file. The application will then load the malicious dll instead of the original, thus executing the malicious code. The following application loads external libraries following an insufficiently qualified path. Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Exploit: Option 1 - Using the “msfpayload” Metasploit module as shown below: msfpayload windows/exec CMD=calc.exe D exploit.dll Option 2 - Using the “webdav_dll_hijacker” Metasploit module. Impact: A successful exploit of this vulnerability leads to arbitrary code execution. Vendor Response: 2011/08/09 – Vulnerability was identified. 2011/08/19 – Cybsec sent detailed information on the issue and a Proof of Concept. 2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on ongoing investigations”. 2011/08/19 – Vendor was informed that the security advisory would be published after 15 days. 2011/09/02 – Vulnerability was released. Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia at cybsec dot com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.com (c) 2011 - CYBSEC S.A. Security Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
but if you execute a trusted vbs, you would successfully exploit anything wouldnt you ? id would be like running a dll using rundll32.exe my.dll , cept a vbs :s to me makes no sense, never has, and i know what loadlibrary does, i looked at the implications of theyre advisories, i remember when we were swarmed by about 100 dlls wich were not 'unloaded' rproperly... lol... ok anyhow, this makes no sense, executing a trusted vbs is 'script' many viruses have been named .vbs and run vb script...right? so why would we need news on this... xd On 3 September 2011 07:53, Nahuel Grisolia nah...@bonsai-sec.com wrote: List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
What you say? my trolling hampered by facts? unpossible! On 09/02/2011 06:53 PM, Nahuel Grisolia wrote: List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. pgp0MojC9aHat.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
If it's a trusted .vbs then how would you drop a .dll in the same directory? If you have write permissions it's easier to just modify the .vbs. You might as well claim the added value is to backdoor a .vbs file subrepticiously so it doesn't show when inspecting the source code. But it doesn't add that much, really, since a new and misterious .dll file would also draw the attention, so it's probably easier to hide malicious intent into the source code by obfuscating it. On Fri, Sep 2, 2011 at 11:53 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote: List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
I disagree. If this so called vulnerability had any added value in terms of social engineering, it would actually make sense to report it. Social engineering isn't bad, I really don't care how leet it is. My claim is simpler: this advisory makes no sense at all, because it replaces an easy way of exploitation for a hard way of exploitation, so its added value is actually *negative* for the attacker. Most likely whoever found this is new in the infosec world and never stopped to consider this details - he/she just blindly repeated what the dll injection crowd was doing and posted whatever results were found, without understanding really well what was going on. And THAT is the state of infosec today. People who report stuff for the sake of reporting, without really understanding how things work or why. On Fri, Sep 2, 2011 at 11:46 PM, valdis.kletni...@vt.edu wrote: On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
hi, hope you are well, Prediction 3: Until spammers learn PROP use of english, things wont change, the spam will still ahve speeling errors. thats about the only thing saving some of us i think... thats my own observation, and seems to go back to when i was phreaking 'engineering' via telephone, using att pbx cards, to act like a security engineer at att to get more cards, wich, lasted many years... the people who could NOT phish, and relied on the few who could, were all europeans, wich yes now this has changed. originally, and in general, the better use of language wich is what prevails with most social engineering in any format and will always continue to, however, the use of english is also nowdays becoming easier to learn, people are becoming smarter from each failure, wich is why computers failure rate dissolves. Social engineering was the basis of many hackers/black or white, in some form, many years ago... there is not much documented on it but hey, im just yer avergae Eric jones. Anyhow, have a good day sir, interesting topically, in 2011.. cheers, xd On 3 September 2011 07:46, valdis.kletni...@vt.edu wrote: On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
I must agree, considering i have yet to see it used in even botnet circles, who would surely have used a decent local exploit if it was 'decent'... I know this dll hijacking, has gone unpassed to the community in general because of its useless ness. I agree completely, i never have seen this actively exploited, nor part of a decent framework where it can be used in a remote or local session Basically, it is something to wich i read the PDF on, and thought here is the most useless 'exploit' as it was being called , i have ever, laid eyes on , my opinion still has yet to be changed by any factor, there could be many factors, ie: exploitation even in the wild reported, or just someone saying hey dont forget blah.c! , but this aint happened, nor will... hey wanna read msdn and look and see how a lib is loaded would make more sense. I still dont see anything 'good' in this whole fiasco of the dll hijacking. no active code/poc. etc etc etc as i said, many factors id reconsider my stance on... anyhow, enjoyable topic. xd On 3 September 2011 11:03, Mario Vilas mvi...@gmail.com wrote: I disagree. If this so called vulnerability had any added value in terms of social engineering, it would actually make sense to report it. Social engineering isn't bad, I really don't care how leet it is. My claim is simpler: this advisory makes no sense at all, because it replaces an easy way of exploitation for a hard way of exploitation, so its added value is actually *negative* for the attacker. Most likely whoever found this is new in the infosec world and never stopped to consider this details - he/she just blindly repeated what the dll injection crowd was doing and posted whatever results were found, without understanding really well what was going on. And THAT is the state of infosec today. People who report stuff for the sake of reporting, without really understanding how things work or why. On Fri, Sep 2, 2011 at 11:46 PM, valdis.kletni...@vt.edu wrote: On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
