Binary planting - Revision history

Andrew Smith at 02:58, 31 January 2013

2013-01-31T02:58:27Z

Mitjak at 17:48, 21 August 2010

2010-08-21T17:48:59Z

Mitjak: /* References */

2010-08-20T01:22:39Z

‎References

Mitjak: /* Risk Factors */

2010-08-20T01:21:42Z

‎Risk Factors

Mitjak: Created page with '{{Template:Attack}} Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' ==Description== Binary planting is a general term for an attack wher…'

2010-08-20T01:19:30Z

Created page with '{{Template:Attack}} Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' ==Description== Binary planting is a general term for an attack wher…'

New page

{{Template:Attack}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

[[Binary planting]] is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to some local or remote file system location in order for a vulnerable application to load and execute it.

There can be various reasons why an application would load a malicious binary:

# Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a trusted location. (A typical example is an application installer not properly setting access permissions on application directories.)
# One application may be used for planting a malicious binary in another application's trusted location. (An example is the Internet Explorer - Safari blended threat vulnerability)
# The application searches for a binary in untrusted locations, possibly on remote file systems. (A typical example is a Windows application loading a dynamic link library from the current working directory after the latter has been set to a network shared folder.)

==Risk Factors==

* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this attack likely or unlikely to actually happen
* You can mention the likely technical impact of an attack
* The [business impact] of an attack is probably conjecture, leave it out unless you're sure

==Examples==

=== Insecure Access Permissions-based Attack ===

# A Windows application installer creates a root directory (C:\Application) and installs the application in it, but fails to limit write access to the directory for non-privileged users.
# Suppose the application (C:\Application\App.exe) loads the WININET.DLL library by calling LoadLibrary("WININET.DLL"). This library is expected to be found in the Windows System32 folder.
# Local user A plants a malicious WININET.DLL library in C:\Application
# Local user B launches the application, which loads and executes the malicious WININET.DLL instead of the legitimate one.

=== Current Working Directroy-based Attack ===

# Suppose a Windows application loads the DWMAPI.DLL library by calling LoadLibrary("DWMAPI.DLL"). This library is expected to be found in the Windows System32 folder, but only exists on Windows Vista and Windows 7.
# Suppose the application is associated with the ".bp" file extension.
# The attacker sets up a network shared folder and places files honeypot.bp and DWMAPI.DLL in this folder (possibly marking the latter as hidden).
# The attacker invites a Windows XP user to visit the shared folder with Windows Explorer.
# When the user double-clicks on honeypot.bp, user's Windows Explorer sets the current working directory to the remote share and launches the application for opening the file.
# The application tries to load DWMAPI.DLL, but failing to find it in the Windows system directories, it loads and executes it from the attacker's network share.

==Related [[Threat Agents]]==

* [[:Category:Internet_attacker]]
* [[:Category:Intranet_attacker]]

==Related [[Attacks]]==

* [[:Category:Embedded Malicious Code]]
* [[Code Injection]]

==Related [[Vulnerabilities]]==

* [[Portability Flaw]]
* [[Process Control]]

==Related [[Controls]]==

TBD

==References==

'''Note1:''' A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:

* [http://cwe.mitre.org/data/definitions/114.html CWE-114: Process Control]
* [http://www.securityfocus.com/archive/1/510426 Elevation of Privilege Vulnerability in iTunes for Windows] - example of Insecure Access Permissions-based Attack
* [http://www.securityfocus.com/archive/1/513190 Remote Binary Planting in Apple iTunes for Windows] - example of Current Working Directroy-based Attack

__NOTOC__

← Older revision		Revision as of 17:48, 21 August 2010
Line 67:		Line 67:

	__NOTOC__		__NOTOC__
		+
		+	[[Category:Attack]]

← Older revision		Revision as of 01:22, 20 August 2010
Line 61:		Line 61:

	==References==		==References==
−
−	~~'''Note1:''' A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:~~

	* [http://cwe.mitre.org/data/definitions/114.html CWE-114: Process Control]		* [http://cwe.mitre.org/data/definitions/114.html CWE-114: Process Control]

@@ Line 5: / Line 5: @@
 ==Description==
-[[Binary planting]] is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to some local or remote file system location in order for a vulnerable application to load and execute it.
+[[Binary planting]] is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to a local or remote file system in order for a vulnerable application to load and execute it.
-There can be various reasons why an application would load a malicious binary:
+There are various ways this attack can occur:
-# Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a trusted location. (A typical example is an application installer not properly setting access permissions on application directories.)
+# Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a trusted location. (A typical example is an application installer not properly configuring permissions on directories used to store application files.)
-# One application may be used for planting a malicious binary in another application's trusted location. (An example is the Internet Explorer - Safari blended threat vulnerability)
+# One application may be used for planting a malicious binary in another application's trusted location. (An example is the [http://technet.microsoft.com/en-us/security/advisory/953818 Internet Explorer - Safari blended threat vulnerability] )
 # The application searches for a binary in untrusted locations, possibly on remote file systems. (A typical example is a Windows application loading a dynamic link library from the current working directory after the latter has been set to a network shared folder.)
@@ Line 57: / Line 57: @@
 ==Related [[Controls]]==
-TBD
+* Access Controls
@@ Line 65: / Line 66: @@
 * [http://www.securityfocus.com/archive/1/510426 Elevation of Privilege Vulnerability in iTunes for Windows] - example of  Insecure Access Permissions-based Attack
 * [http://www.securityfocus.com/archive/1/513190 Remote Binary Planting in Apple iTunes for Windows] - example of Current Working Directroy-based Attack
+* http://365.rsaconference.com/servlet/JiveServlet/previewBody/3034-102-1-4071/HTA-206%20-%20Remote%20Binary%20Planting%20%E2%80%93%20An%20Overlooked%20Vulnerability%20Affair.pdf
 __NOTOC__
 [[Category:Attack]]

@@ Line 16: / Line 16: @@
 ==Risk Factors==
-* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this attack likely or unlikely to actually happen
+TBD
 ==Examples==