Full Disclosure mailing list archives

Re: Microsoft's Binary Planting Clean-Up Mission

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Sat, 17 Sep 2011 00:36:49 +0000

The interesting part about this type of attack is that the attacker can run a
webdav server to run the exploit. This is a normal looking url, not some
incredibly obvious UNC path to an SMB share. Yes, like most client-side
attacks, it may require some social engineering, hijacking of a domain, and etc.
However, there's more to it than just downloading some random file from a
stranger, it can be used in a decent combination by a well-designed attack. A
good example is one that ACROS actually reported on (haven't verified
myself, so going on their word). Check it out:


Except that you would have to mount the WebDAV point or access it via a WebDAV-aware redirector, right?  If you 
navigate to a file within a WebDAV folder simply with IE via a URL, IIS (or whatever your WebDAV environment is) is 
going to just feed it to the browser like it would any other file.  

Now, if you are talking about something like Win 7 NET.EXE's ability to actually map a drive letter or SMB-like 
resource to a WebDAV folder, that is something else, and you would of course have to get the user to issue a net use 
command or connect to the WebDAV folder as a network drive.    I'm not actually sure the net redirector for webdav 
would even allow that over an anonymous connection, and even basic auth requires HTTPS of course which won't work 
unless the certificates are trusted.  

Now if what you are saying is this "exploit" has merit because you can use WebDAV after getting the user to mount the 
webdav point first and then get them to execute the file or get them to issue a net use command against the webdav 
folder via HTTPS with the target cert begin trusted, and after that get them to open the file in question so that you 
can, in turn, take advantage of the aforementioned conditions to then load the malicious dll via loadlibrary, then I 
guess I would question how "critical" of a security vulnerability that is. 

I would suggest that if one is actually considering this to be a "real" issue, one might better consider that all you 
have to do is get the user to just open up an exe remotely.  It's the same thing at the end of the day.

Or did I misunderstand the WebDAV configuration you've used?

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Microsoft's Binary Planting Clean-Up Mission, (continued)
- - - Re: Microsoft's Binary Planting Clean-Up Mission adam (Sep 15)
    - Re: Microsoft's Binary Planting Clean-Up Mission Michael Schmidt (Sep 16)
    - Re: Microsoft's Binary Planting Clean-Up Mission Jeffrey Walton (Sep 16)
    - Re: Microsoft's Binary Planting Clean-Up Mission ACROS Security Lists (Sep 15)
    - Re: Microsoft's Binary Planting Clean-Up Mission Mikhail A. Utin (Sep 16)
    - Re: Microsoft's Binary Planting Clean-Up Mission Pedro B (Sep 16)
    - Re: Microsoft's Binary Planting Clean-Up Mission ACROS Security Lists (Sep 16)
  - Re: Microsoft's Binary Planting Clean-Up Mission Stefan Kanthak (Sep 16)
- Re: Microsoft's Binary Planting Clean-Up Mission paul . szabo (Sep 15)
  - Re: Microsoft's Binary Planting Clean-Up Mission Tyler Borland (Sep 15)
    - Re: Microsoft's Binary Planting Clean-Up Mission Thor (Hammer of God) (Sep 16)
  - Re: Microsoft's Binary Planting Clean-Up Mission ACROS Security Lists (Sep 16)