Upload
setuid0
View
1.136
Download
4
Tags:
Embed Size (px)
DESCRIPTION
ShmooCon Epilogue 2014
Citation preview
The Allegory of The Allegory of the Cavethe Cave
Has Application Whitelisting Coagulated Has Application Whitelisting Coagulated As Expect?As Expect?
What is this?What is this?
Curt Curt ShafferShafferCurt Shaffer has been in the IT field for 15 years. His experience is
diverse across the IT field from ISP network design and installation, to server engineering for small and medium business as well as a number of local and US federal international agencies as well as intrusion analysis, incident response and malware reverse engineering. His change over the past 5 years has been his security focus. A majority of his security work most recently has been building internal threat intelligence for federal agencies and in his current position as the Owner of and Sr. Threat Researcher, for Symbiotic Network Technologies, LLC he analyzes current and new trends in that attack landscape in order to provide organizations with a realistic view of how they are being attacked and what can be done about it.
He holds a number of industry standard certifications including CISSP, SANS:GREM, GCIA, GCIH, GPEN, GSEC and a number of CompTIA and Microsoft certifications.
Judah PlummerJudah Plummer
Works at Foreground Security - SOC Analyst Extraordinaire
Math and Comp. Sci. Degree from University of PittsburghHe has worked on validating these findings (found a 0 day once), and has assisted with the deployment and management of these applications in large deployments.
Also, found a DLC License bypass for Xbox (possible upcoming NovaHackers talk?).
Put to the TestPut to the Test
Put to the TestPut to the Test
McAfee – Popular choice for government and others
Bit9 – Popular due to ease of deployment App Locker – Built in/No extra cost
Previously …with Previously …with some updatessome updates
Windows File Protection Didn’t work
Java Exploits
All day long Payloads
Iexpress Didn’t Work
Previously …with Previously …with some updatessome updates
Adobe Worked
Javascript Worked
VBA Worked
Shellcode Worked
Previously …with Previously …with some updatessome updates
Other findings: Intercepting the Bit9 Client traffic (Fiddler FTW!) Rubber Ducky Powershell injections Disabling the Service
Why Is This Still Why Is This Still a Problem?a Problem?
“While we believe Bit9 is the most effective protection you can have on your endpoints. “
https://blog.bit9.com/2013/02/25/bit9-security-incident-update/
30 days to life?30 days to life?
The 90's called, they want their trial bypass backThe 90's called, they want their trial bypass back
Let Me In?Let Me In?
Just Ask NicelyJust Ask Nicely
Bypasses Bypasses BygoneBygone
DLL Injection
New Bypasses?New Bypasses? DLL Hijacking
Watering Hole Attacks
Modifying Executable File Types
Dynamic Annotation techniques and similar dynamic building techniques
Microsoft Winhttp
Security ID Modifications
DLL HijackingDLL Hijacking
DLL Hijacking has been used in the past as a persistence method.
We tested to see if we could trick the whitelisting solution into executing the hijacked DLL with our own malicious code.
Worked like a champ!
WateringWatering HoleHole AttackAttack
Have become more popular in advanced attacks
There is a huge range of techniques that can be taken advantage of and growing with new technologies such as HTML5.
Files can be called/executed by trusted applications and their plug-ins.
ModifyingModifying ExecutableExecutable FileFile
TypesTypes Change file types, such as .txt files to be executable
Changing the “Magic Number” of files, to be repaired later, after it has been overlooked due to being non-standard filetype and thus being ignored by Bit9.
DynamicDynamic AnnotationAnnotation
New technique for some interesting malware applications.
Build MOF executable from samples scripts pulled from trusted sites, such as Microsoft’s Technet, and build them on the fly with VB is one example we have seen used in the wild
We are working on a talk for later this year on the topic with a POC botnet.
WinhttpWinhttp
Our guess: not a lot of work has been put into protecting the new WinHTTP remote administration components of Windows.
Execute malicious code through this trusted process.
Any other system/admin tools that need to be trusted?
Security ID Security ID Modifications Modifications
Is whitelisting on a per user basis?
Have all types of users, including null user SIDs, been taken into account?
We didn’t have a lot of time to test modifying the SIDS of services and files, but it’s our guess this would work rather well.
Chris John Riley’s Chris John Riley’s PySCPySC
Shellcode from DNS TXT records
Or via Internet Explorer (using SSPI)
Works on the latest version we tested!
Thanks Chris!
Code link in the notes.
Future Future ConsiderationsConsiderations
Macintosh Bypasses
More HTML5 Features
Trusted Directory or Trusted User Abuse
Hash Collision Fun
Metasploit Module
Metasploit Module
Codename: “The Alan P@rs0ns Project: Sharks with friggin lasers”
Menu Options/Functionality: Operating System Version Vendor Choice Exploit/Bypass Style, Choice Payload Choice Post Exploitation
Questions?Questions?
Contact Info
[email protected]@inetopenurla (My blog…hope for a
revival soon )@bit0day (to follow releases of
details of our findings)[email protected]