how-to block ads
|
SUMware
Premium
join:2002-05-21
3 edits | .NET Framework Rootkits From SecurityFocus
Nov 13 2008 - quote:
.NET Framework Rootkits - Backdoors inside your Framework
Author: Erez Metula;
Paper Description
=================
The paper introduces a new method that enables an attacker to change the .NET language, and to hide malicious code inside its core.
It covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper.
Paper Summary
============
Framework modification can be achieved by tampering with a Framework DLL and "pushing" it back into the Framework.
The process is composed of several steps, described thoroughly at the corresponding whitepaper.
It also exposes a flaw in the manner in which a .NET Framework DLL is loaded, and how it is possible to bypass its signature mechanism.
Instead of re-signing tampered DLL's with a spoofed Microsoft signature key - surprisingly, it was found during this research that the modified DLL can be directly copied to the correct location at the file system, because the SN mechanism does not check the actual signature of a loaded DLL but blindly loads the DLL based on the directory name with the corresponding signature name!
It is important to mention that this technique does not requires "full trust" permissions, which further proves the fact that the GAC / CAS protection mechanisms are broken.
This paper also introduces ".Net-Sploit" - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL.
You can find the detailed whitepaper, .NET-Sploit tool, source code, and the OWASP presentation at:
»www.applicationsecurity.co.il/.N···its.aspx
[Note: At time of posting the above applicationsecurity.co link did not work for me.
Try this one: »www.applicationsecurity.co.il/en···ult.aspx
Direct link to whitepaper [PDF] here.] | |
|  
microserf v1
@cgocable.net
| Re: .NET Framework Rootkits 
The 'exploit' starts with the modification of a framework dll (assembly) from outside the runtime using administrative privileges. I'd hardly call that a viable rootkit but ok, let's run with it.
Changes to an assembly can be detected with a signature check but the CLR used by the author is blindly loading Strong Name assemblies. This is not how I understood the runtime to function in a default configuration. Without an exception made by sn.exe or inserted directly into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\StrongName\Verification\, any SN assembly will have its current file hash checked against the signed one as it is loaded. The author claims this verification is not occurring within the GAC. If so, call Microsoft for a bug fix.
Without this initial compromise the rest of the paper is useless. I'll wait for someone to explain why the CLR is not working as (I thought) it should. | |
| | SUMware
Premium
join:2002-05-21
1 edit | Re: .NET Framework Rootkits said by microserf v1 :
The author claims this verification is not occurring within the GAC. If so, call Microsoft for a bug fix. said by whitepaper :
Microsoft response team assigned the GAC protection bypass case the track number of "MSRC 8566gs", but even if the GAC bypass will be fixed it'll surely be possible to mount the attacks described in this paper in some other way, since an attacker who has administrator level privileges on a machine can do everything anyway.
Conclusions
Modification of the framework behavior can lead to some very interesting results as seen in this paper. An attacker who has managed to compromise your machine can backdoor your framework, leaving rootkits behind without any traces. Those rootkits can turn the framework upside down, letting the attacker do everything he wants while his malicious code is hidden deep inside the framework DLL’s. As the owner of the machine, there’s not much you can do about that. You can use external file tampering detectors, such as tripwire, in a scenario where you have another machine that monitors your machine. Microsoft, as the developer of the Framework, should give the .NET Framework a kernel level modification protection.
| |
| | | | | | | OZO
Premium
join:2003-01-17
| Re: .NET Framework Rootkits That is exactly my point as well. I refuse to participate in testing new and new incompatible frameworks on my computers. I understand that development with NET may be easier, but as a consumer - I'll better wait until it settles down to finally workable solution...
--
Keep it simple, it'll become complex by itself... | |
| | |
microserf v1
@cgocable.net
| Thank you (sorry for the delay in responding).
Your quote clearly shows a difference I have with the author in terms of perspective. Farting around with .NET when you have admin privileges on a machine is counter-productive. IMO, any modifications made to the framework from an external (to the framework) point highlights commercial/secure distribution issues in a hostile administrative environment. | |
| | | | 
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| Re: .NET Framework Rootkits said by microserf v1 :
IMO, any modifications made to the framework from an external (to the framework) point highlights commercial/secure distribution issues in a hostile administrative environment. Reminds me of a time when a company asked me how they could secure a database from their DBA whom they didn't trust (but apparently didn't want to fire), which for me was another reminder that a lot of security problems are not technical, but are in fact HR problems (if someone could tell me what HR does anymore I'd certainly appreciate it). For another example isn't it funny that the lowest paid, least respected employee is usually the one with all the keys and the least supervision (ie your cleaning staff)?
At some point in time trust in employees isn't optional so selecting who those employees are shouldn't be a glossed over or outsourced issue.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool | |
| redwolfe_98
join:2001-06-11 | i agree with you, netfixer.. i hate having "NETFramework" installed, but my ati (video card) driver-package requires it..
as far as i know, hewlett-packard "printer" driver-packages also require "NETFramework".. | |
| | OZO
Premium
join:2003-01-17
1 edit | Re: .NET Framework Rootkits What if you will install driver only - does it require .NET too? | |
| | | redwolfe_98
join:2001-06-11
·RoadRunner Cable
1 edit | Re: .NET Framework Rootkits said by OZO  :What if you will install driver only - does it require .NET too? the ati driver, alone, does not require NETFramework, but the "catalyst control center" does require it..
i am not that familiar with working with "hewlett-packard" drivers, so i don't know if you can work around not having "NETFramework", with them, or not.. in my experience with installing the regular HP driver-packages, which is the only ones that i have used, NETFramework is installed as part of the installation-process, when the drivers are being installed.. | |
| | | | OZO
Premium
join:2003-01-17
| Re: .NET Framework Rootkits If in the printer package you have a folder with *.INI file along with set of other files (usually with *.dl_ extensions) you may install the driver directly. In this case you do not have to run any "setup" program from the package (and it will not install any .NET). That's the way I install my drivers. | |
| | | | 
salzan
Experienced Optimist
Premium
join:2004-01-08
WA State
| said by redwolfe_98 :the ati driver, alone, does not require NETFramework, but the "catalyst control center" does require it.. You can use ATI Tray Tools instead of the Catalyst Control Center. No need of .NET for ATI cards.
I have avoided .NET completely. | |
| | | | 
AB
Premium
join:2006-04-04
Leesburg, VA
| said by redwolfe_98 :. . i am not that familiar with working with "hewlett-packard" drivers, so i don't know if you can work around not having "NETFramework", with them, or not.. in my experience with installing the regular HP driver-packages, which is the only ones that i have used, NETFramework is installed as part of the installation-process, when the drivers are being installed.. The HP AIO printer I use (1200 series, which is an older one) has no reliance upon .NET Framework. | |
| | | | SUMware
Premium
join:2002-05-21
| As stated before:
said by whitepaper :
It is important to mention that the technique described in this paper is considered as a post exploitation type attack! Such attacks are usually deployed after an attacker has managed to penetrate a system (using some other attack) and want to leave backdoors and rootkits behind, for further exploitation. In other words, changing the Framework requires administrator level privileges.
And, although it goes without saying - you must have administrator level permissions to overwrite the DLL, since this is a post exploitation attack…
| |
| | | | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: .NET Framework Rootkits said by jdong :. . it's a shame people are suddenly using this to fear-monger the .NET framework as if somehow non-.NET native based runtimes are not affected by tampering in this manner? You're saying then, that if I gave remote Administrative write permissions to some pimply-faced Russian teenager, he could do more than alter my .NET Framework .DLLs?
Is that what you're trying to claim?  | |
| | | | 
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:  
| Re: .NET Framework Rootkits said by AB :You're saying then, that if I gave remote Administrative write permissions to some pimply-faced Russian teenager, he could do more than alter my .NET Framework .DLLs? Is that what you're trying to claim? Not only that -- I am also claiming that this CAN'T POSSIBLY HAPPEN if you don't use .NET. For the 20 year history of Microsoft operating systems there are ZERO incidents of some type of malware modifying native binary executables such that when they run, they do their task and then something subtly malicious. Can't think of anything like that until .NET strong name signature checking compromises came around!
--
Ubuntu MOTU Developer and Forums Council | |
| | | | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: .NET Framework Rootkits said by jdong :said by AB :You're saying then, that if I gave remote Administrative write permissions to some pimply-faced Russian teenager, he could do more than alter my .NET Framework .DLLs? Is that what you're trying to claim? Not only that -- I am also claiming that this CAN'T POSSIBLY HAPPEN if you don't use .NET. For the 20 year history of Microsoft operating systems there are ZERO incidents of some type of malware modifying native binary executables such that when they run, they do their task and then something subtly malicious. Can't think of anything like that until .NET strong name signature checking compromises came around! Thank you. Just so we're straight on that.
But I believe in giving young people scriptkiddies a fair chance, and so will be keeping .NET Framework v. 2.0 on this machine.
No remote write permissions, though-- I said I was fair, not easy.  | |
| 
Woody79_00
join:2004-07-08
united state
| This article is Snake Oil IMO
the attacker would have to have admin access to your machine, in other words, gotten past your firewall and cracked your password.
At this juncture, I don't care eif you have .Net installed or not, your owned regardless. Besides, why would they even both with a .Net rootkit anyways, when there are much easier methods of rootkitting a system?
this article is snakeoil for that reason. If someone gets admin access to your system, your owned no matter what you have installed. .Net is no more a security risk than any other runtime or compiler. | |
| | Kiwi
Premium
join:2003-05-26
USA
·Comcast
 ·Aristotle Internet
| Re: .NET Framework Rootkits said by Woody79_00 :This article is Snake Oil IMO the attacker would have to have admin access to your machine, in other words, gotten past your firewall and cracked your password. At this juncture, I don't care eif you have .Net installed or not, your owned regardless. Besides, why would they even both with a .Net rootkit anyways, when there are much easier methods of rootkitting a system? this article is snakeoil for that reason. If someone gets admin access to your system, your owned no matter what you have installed. .Net is no more a security risk than any other runtime or compiler. Mirroed my own thoughts. I work with .NET, but not by choice. Regardless, I do believe Woody nailed this down, certainly not a drive by thing for sure. There are a couple of other remarks that had been made, I noted my head nodding up and down | |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| I will summarize what I was going to post before the server decided to choke and subsequently lose my usually detailed and eloquent posting on this topic.
First I've seen a number of people say they won't load .Net runtimes onto their machines, my question to them is do they load Java runtimes as perhaps they should read this paper as Erez Metula states on page 5:
And, as a side note – the methods described in this paper are not restricted only for the
.NET Framework, but can also be applied to other VM based platforms, such as Java.
Next this interesting as the basis of the exploit is:
Surprisingly, it was found during this research that the modified DLL can be directly
copied to the correct location at the file system, because the SN mechanism does not
check the actual signature of a loaded DLL but blindly loads the DLL based on
the directory name with the corresponding signature name!
It is important to mention that this technique does not requires "full trust"
permissions, which further proves the fact that the GAC / CAS protection
mechanisms are broken
Now the name is checked on initial loading so the deal here is that the .Net framework already has to be up and running, which greatly limits the attack potential. If the DLL was infected and saved, when the .Net runtimes loaded the naming problem would cause the attack to gack, so to make this a virus you would need to leave the original DLL in place such that it was loaded during the initial load and then have an application run which would do the dirty deed of injecting the infected DLL in after.
Now certainly this exploit implies that the applications using the .Net environment don't have use any security checking code (ex Declarative or Imperative coding which checks the environment etc) which cause a stack walk and would likely raise and exception with the naming problem of the infected DLL. CAS (.NEt's Code Access Security) would also likely detect and report this problem (CAS is actually kind of cool as you can white list what your app can do such that any exceptions are flagged, handy if your using a third party dll that you don't trust, so white list what it can do and anything else it does and CAS raises an exception and stops the app cold).
So in terms of am I fearing any mass attack from this nope, and I will use this in my upcoming .NET Secure Presentation to help drive home why something should be done in certain ways.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool | |
| | Kiwi
Premium
join:2003-05-26
USA | Re: .NET Framework Rootkits Apparently I should have spent the time, but you already did it twice Good job. | |
| | mysec
Premium
join:2005-11-29
4 edits | said by Link Logger :(CAS is actually kind of cool as you can white list what your app can do such that any exceptions are flagged, handy if your using a third party dll that you don't trust, so white list what it can do and anything else it does and CAS raises an exception and stops the app cold).
Nice to know!
Other White List solutions will also stop this exploit cold.
From the White Paper:
Framework modification can be achieved by tampering with a Framework DLL and
"pushing" it back into the Framework.
The process is composed of the following steps:
• Locate the DLL in the GAC, and copy it outside
• Analyze the DLL
• Decompile the DLL using ildasm
• Modify the MSIL code
• Recompile to a new DLL using ilasm
• Bypass the GAC strong name protection
• Reverting back from NGEN Native DLL
• Deploy the new DLL while overwriting the original
My test:
• select a White Listed .dll (ver.dll)
• modify a copy of ver.dll and place on a USB drive
• attempt to copy/overwrite ver.dll
__________________________________________
I don't see any way a non White Listed executable can be installed without user permission
on a properly protected system.
| |
| | | | |
|
·
·