Friday, March 9, 2012

MSRC patch Tuesday March 2012

Hi all,
In March 2012 Microsoft patched 2 vulnerabilities i discovered, one in visual studio and the other in Microsoft expression blend.

Now before I begin diving into the technical side of things, let me give you some background of why did I take a look into MS products.
it is actually quite funny and childish, but it makes me smile so I'll share it any way :)
last august I had the fortune of attending Black-hat and defcon, during my touring of the booths at Black-hat I stumbled upon the Microsoft booth and had a very nice chat with the nice folks over there, during which I learned that Microsoft has an annual party that they throw at Black-hat, so I was thinking => I want to go to that party, after all I am a nice guy and I like parties so I'll ask for a ticket.
but I didn't get an invite... turns out you need to find a security vulnerability in one of Microsoft's products to get in to that party.

Challenge accepted :)

Now let us dive a bit into the technical, shall we? :)
(I will be talking about )

I will start with Bulletin 5
(Microsoft Expression Design) which I personally aren't too proud of finding, since it was way too easy to find, total effort was like 30 minutes late at night including the email to Microsoft.
back on topic than, this Bulletin is classified as "Remote Code Execution" , a more low level description will be "DLL Hijacking",
For those who don't know what "DLL Hijacking" is, here is a quick intro:
Sometimes an application needs to load libraries to handle the opening of a file, for example: a file that has a file association set in the Windows operating system will opened with a predefined application whether it is on a local folder on the user hard drive or on a network location.
These libraries are sometimes libraries that are installed in the operating system when the user first installs a program, now if the developer of that app did not follow Microsoft guidelines and did not follow the steps at: the application is vulnerable for remote code execution attacks via DLL Hijacking.

Now back to the bulletin:
When opening specific files with Microsoft Expression Blend from a network location, a certain DLL is called first at the network location, allowing an attacker to do what they want on the user machine.
(I wanted to specify the DLL name but it is late and I am too lazy to dig for the original mail I sent to MS)

Now to my favorite: Bulletin 4
MSRC has this under "Elevation of Privilege"
(I will be talking about VS2008,  VS2010 does not have this vulnerability manifesting the same way)
This is similar to the concept of a DLL Hijacking only this time the thing being "Highjacked" is a visual studio Add-in.
Yes, a Malicious Add-in for your visual studio! (me thinks it is cool)
How does this happen?
Simple, when a developer opens specific files associated with visual studio (there are plenty) the visual studio will load first and then after the development environment has loaded will it load the specified file.
The magic happens when the Visual studio loads, because when it does it will load it's add-ins from that network location, Yes... every time a VS2008 instance opens a file from a network location it looks for add ins in that location first before rolling back to the default location on the user's hard drive.
under VS2008 you can just put any add in you like and the development environment will load it and list it as one of the add ins, this does not affect VS2010.
in VS2010 there is a predefined list of add ins, I did not research this any further simply because I still have a day job and all this was done on my own time. and yes, I do have a life, so research_time--;

To sum things up, I am not proud of finding the DLL Hijacking vulnerability simply because any kid with a windows box and a sysinternals procmon could find it and exploit it.
The one I am really proud of is the VS vulnerability, not because of "how" i found it, but simply because I had to sit down and code a VS add in that will pop a "PWND" message-box, it was a quick and interesting challenge :)

When I say "Proud" I don't mean "first born proud", just proud of a completion of a challenge  :)