2010: The Year of the Exploit

Size: px

Start display at page:

Download "2010: The Year of the Exploit"

Oliver Owens
9 years ago
Views:

1 2010: The Year of the Exploit Juraj Malcho Alexandr Matrosov Eugene Rodionov David Harley

2 Microsoft Windows Server Releases Roadmap The picture courtesy of Microsoft

3 Microsoft Significant vulnerabilities MS Buffer Overrun In RPC Interface (Blaster) MS LSASS Vulnerability (Rbot MS MDAC exploit (the base of Exploit Packs) MS Windows Animated Cursor Remote Code Execution Vulnerability MS MS Vulnerability in Server Service (Conficker) Vulnerability in Windows Shell (Stuxnet) Microsoft Security Advisory ( ) Insecure Library Loading Could Allow Remote Code Execution

4 MS LNK exploit Windows Shell vulnerability Discovered in the wild as a 0-day Out-of-band patch released on August 2 nd 2010 Affects all Windows versions Spreading (not only) via removable devices regardless of security settings MITRE code CVE Win32/Stuxnet

5 VirusBlokAda identified Stuxnet and the LNK exploit on June 17 th (Trojan-Spy.04850) Microsoft and others only took a notice a month later Realtek Semiconductors notified on June 24 th regarding the certificate problem Allegedly, the notification was ignored July 13 th The Moment of Truth Win32/Rootkit.TmpHider July 6 th 2010: Win32/Rootkit.Agent.NTK Gradual unfurling of the truth about Stuxnet At first seemed to be spyware Only in September was it found to be a tool of destruction

6 Targeted attack Not only an eye-opener for the general public, but even for many in the IT security industry Uncompromisingly professional Created by a team of people 0-day vulnerability portfolio 4 0-day vulnerabilities: MS10-046, MS10-061, MS10-073, MS10-0XX + MS Signed! Compromised Realtek & JMicron certificates Weeks of exhaustive analysis The effect on Siemens Simatic SCADA SW Speculation about other possible targets

7 invisible First variants January/March/June 2009 Vulnerability arsenal was limited by then: MS MS MS (win32k.sys!ntusermessagecall) autorun.inf Significant upgrade in January 2010 Another driver added Signed by Realtek Technologies certificate New 0-day vulnerabilities added: MS10-046, MS10-061, MS10-073, MS10-0XX

8 signatures

9 vulnerabilities removable devices MS Win2000/XP MS general attack vector propagation additional attack vectors Stuxnet propagation and installation vectors in MS Windows privilege escalation installation privilege escalation local network MS Vista/Win7/Server 2008 MS10-0XX MS10-061

10 exploit #1: MS10-0XX A vulnerability in Task Scheduler service Scheduled tasks integrity checking problem Used for privilege escalation Windows Vista and above

exploit #2: MS10-073 A vulnerability in win32k.

privilege escalation Windows 2000 and WindowsXP are affected

11 exploit #2: MS A vulnerability in win32k.sys Based on faulty processing of keyboard layout files Used for privilege escalation Windows 2000 and WindowsXP are affected fanny.bmp Win32/Agent.OSW (Win32/Dottun) between win32k.sys and LNK exploit connection

12 exploit #3: MS A vulnerability in Printer Spooler Shared printers problem 2009/04 Used to spread over the network All Windows versions vulnerable A problem in verifying the identity of the printing client Instead of being sent to a printer files are dropped to: %SYSTEM32% (privileged operation): Windows\System32\winsta.exe and Windows\System32\wbem\mof\sysnullevnt.mof

exploit #4: MS10-046 LNK exploit CVE-2010-2568 A design error, no shell code or buffer overflow issue Used to spread via

13 exploit #4: MS LNK exploit CVE A design error, no shell code or buffer overflow issue Used to spread via removable media All Windows versions vulnerable The graphics are loaded from the file referenced in the LNK file and not only that

14 exploit #4: MS ways of storing the path to the payload: \\.\STORAGE#Volume#_??_USBSTOR#Disk&Ven USB&Prod_FLASH_DRI VE&Rev_# &0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp \\.\STORAGE#Volume#1&19f7e59c&0&_??_USBSTOR#Disk&Ven USB&Pr od_flash_drive&rev_# &0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~wtr4141.tmp \\.\STORAGE#RemovableMedia#8&1c5235dc&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp \\.\STORAGE#RemovableMedia#7&1c5235dc&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp

MS10-046 related malware and its evolution 8(+)

15 MS related malware and its evolution 8(+) CVE /MS (win32k.sys) since 2009/11!!!

17 ... needs to be considered and protected

18 Education is a necessary part of defence Gathering data Not so difficult online Mining and exploring it To find the right target Marketing folks know this Cyber criminals are no different Careful what you say Nothing comes for free Mistrust information you didn't ask for or people you

19 Questions? Juraj Malcho Alexandr Matrosov Eugene Rodionov David Harley

The Peak of Chaos Shane D. Shook, PhD 10/31/2012

The Peak of Chaos Shane D. Shook, PhD 10/31/2012 w h a c k e r n a v k n d n h m y a w h o? n r h p e n c n o s a n w s o v y i d u n n n r n m s r k d e a i k o w i r c d i o m u t w e t w s u t s i v i t c a Shane D. Shook, PhD 10/31/2012 Cyber Crime