remote binary planting yg - acros security · 2017. 4. 21. · remote binary planting mitja kolsek...
TRANSCRIPT
![Page 1: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/1.jpg)
Remote Binary Planting
Mitja Kolsek
y gAn Overlooked Vulnerability Affair
Mitja KolsekACROS d.o.o.
Session ID: HT2-401Session Classification: Advanced
Insert presenter logo here on slide master. See hidden slide 2 for directions
![Page 2: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/2.jpg)
Agendag
The VulnerabilityThe Vulnerability
The Attack
Our Research
What Can You Do?
2
![Page 3: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/3.jpg)
The Vulnerability
3
![Page 4: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/4.jpg)
Vulnerability Superstary p
1. Arbitrary Code Execution2. Easy to Find3. Easy to Exploit4 R li bl4. Reliable5. No Privileges 6 Remote6. Remote7. Works Through Firewalls
100,000,000,000
![Page 5: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/5.jpg)
Misunderstood
![Page 6: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/6.jpg)
Underestimated
![Page 7: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/7.jpg)
Downplayed
![Page 8: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/8.jpg)
Ignored
![Page 9: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/9.jpg)
Forgotten
![Page 10: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/10.jpg)
Quasi-Addressed
![Page 11: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/11.jpg)
Still Ignored
![Page 12: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/12.jpg)
Unfixed
![Page 13: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/13.jpg)
The Life of Binary Plantingy g
1998 NSA: Windows NT Security Guidelines2000 Georgi Guninski: Two Office bugs2000 Georgi Guninski: Two Office bugs2001 Nimda uses “DLL spoofing” for propagation2004 Microsoft introduces “safe search order”2005 “DLL S fi i Wi d ” (l l k)2005 “DLL Spoofing in Windows” paper (local attack)2008 David LeBlanc: “DLL Preloading Attacks” article
2009-2010 ACROS reports BP bugs to many vendorsp g yApr 2010 Phone conference with Microsoft
Meanwhile... Microsoft preparing remedy520+ bugs in stock520+ bugs in stock
Aug 18, 2010 Apple fixes iTunes, Acros publishes ASPRSame day The cat gets “out of the bug”
![Page 14: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/14.jpg)
![Page 15: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/15.jpg)
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
![Page 16: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/16.jpg)
IQ Test: Find the MisfitQ
1 2 3 4 5
![Page 17: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/17.jpg)
DLL Search Order
LoadLibrary(“SomeLib.dll”)
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
![Page 18: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/18.jpg)
World-Wide DLL
DLL
you
b d bad guy
![Page 19: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/19.jpg)
It Was Even Worse Before 2004
“UNSAFE” Search Order
1. The directory from which the application loaded2. Current Working Directory (CWD)3. C:\Windows\System32y4. C:\Windows\System5. C:\Windows6 PATH6. PATH
![Page 20: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/20.jpg)
“Safe” DLL Search Order
Safe? Really?
1. The directory from which the application loaded2. C:\Windows\System323. C:\Windows\Systemy4. C:\Windows5. Current Working Directory (CWD)6 PATH6. PATH
![Page 21: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/21.jpg)
Causes For Not Finding DLLs inPrimary Locationsy
Programmer checks for local capabilities by trying to load a libraryySome DLLs are present on OS1 but not on OS2 (dwmapi.dll)Custom/partial installsCustom/partial installsBackward compatibilityForward compatibilityApplication written so that it finds its binaries in PATHO/S Porting (loading “linuxlib.so.1” on Windows)Assumptions about installed componentsAssumptions about installed componentsIncomplete uninstalls...
![Page 22: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/22.jpg)
Malicious DLL
DllMain() function – almost always works!DllMain() function almost always works!Modify original DLLCreate a look-alike DLLCreate a look alike DLL
![Page 23: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/23.jpg)
The Attack
23
![Page 24: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/24.jpg)
3-Step Attack Scenariop
1 Plant a malicious DLL
2 Set CWD to location of the DLL
3 Wait
![Page 25: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/25.jpg)
Setting The Current Working Directoryg g y
1. Double-clicking a file in Explorer2. File Open, File Save dialogs3. Last open/save location4. cmd.exe: cd command5. File explorers6 C t P Sh llE t6. CreateProcess, ShellExecute7. New process inherits parent’s CWD8 Shortcuts8. Shortcuts9. ...
![Page 26: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/26.jpg)
Internal Network Attack
![Page 27: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/27.jpg)
Local Goes Remote
![Page 28: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/28.jpg)
Internet Attack - WebDAV “Magic”
![Page 29: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/29.jpg)
Attack Vectors
1. Clicking on a link in browserg2. Clicking on a link in e-mail3. Clicking on a link in IM message4. Planting a DLL on a file server5. Document and DLL in a ZIP archive6. Document and DLL on a USB stick7. Document and DLL on CD/DVD8 L l i il l ti8. Local privilege escalation9. Advanced binary planting attacks
![Page 30: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/30.jpg)
Binary PlantingDemo
30
![Page 31: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/31.jpg)
![Page 32: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/32.jpg)
Binary Planting Goes “EXE”
![Page 33: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/33.jpg)
Searching for Non-Absolute EXEsg
CreateProcess(“SomeApp.exe”)
1. The directory from which the application loaded2. Current Working Directory (CWD)3. C:\Windows\System32y4. C:\Windows\System5. C:\Windows6 PATH6. PATH
![Page 34: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/34.jpg)
Searching for Non-Absolute EXEsg
ShellExecute(“SomeApp.exe”)
The directory from which the application loadedCurrent Working Directory (CWD)C:\Windows\System32yC:\Windows\SystemC:\WindowsPATHPATH
![Page 35: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/35.jpg)
Searching for Non-Absolute EXEsg
_spawn*p* and _exec*p*
The directory from which the application loaded1. Current Working Directory (CWD)2. C:\Windows\System32y
C:\Windows\System3. C:\Windows4 PATH4. PATH
![Page 36: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/36.jpg)
Our Research
Insert presenter logo here on slide master. See hidden slide 2 for directions36
![Page 37: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/37.jpg)
Research Summaryy
Inspected 200+ Windows applicationsAt least one exploitable Binary Planting issueAt least one exploitable Binary Planting issuein almost every one!(And we barely scratched the surface)
Recorded 520+ Binary Planting issuesTool for detecting Binary Planting vulnerabilitiesvulnerabilities
GUI, monitoring processesAutomated exploitationpAbility to directly debug vulnerable code
![Page 38: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/38.jpg)
Binary Planting Detector
![Page 39: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/39.jpg)
Score – DLL and EXE Plantingsg
120120+
400+
![Page 40: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/40.jpg)
How Many Bugs?!?y g
100 000 000 000XP ~1340m, Vista ~400m, Windows 7 ~150m, ...11 000 ti th b f bi l i B iji
100,000,000,00011.000 times the number of bicycles in Beijing100s on every Windows computer10 000s of ways to break into any bank10,000s of ways to break into any bank... or competitor’s network
or government agency... or government agency... or national infrastructure
![Page 41: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/41.jpg)
Affected Vendors
MicrosoftAppleAppleGoogleVMware
IBMSiemensMo illa
... 100+ at Secunia
100+ from our researchMozillaAdobeAvast
... 100+ from our research
AutodeskSophos
PGP...
![Page 42: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/42.jpg)
What Can You Do?
42
![Page 43: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/43.jpg)
APPLY!Recommendations for Developersp
Use absolute paths to libraries and executablesD ’t k “l t’ if it’ th ” L dLib * llDon’t make “let’s see if it’s there” LoadLibrary* callsDon’t plan on finding your DLL/EXE in CWD or PATHSet CWD to a safe location at startupSet CWD to a safe location at startupUse SetDllDirectory(“”) at startupDon’t use SearchPath function for locating DLLsCheck your product with Process Monitor or another toolTest with CWDIllegalInDllSearch hotfix set to "max". Do this for all modules of your product!Do this for all modules of your product!
http://www.binaryplanting.com/guidelinesDevelopers.htm
![Page 44: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/44.jpg)
APPLY!Recommendations for Administrators
Install Microsoft’s Hotfix, remember to configure itDi bl “W b Cli t” iDisable “Web Client” serviceWindows Software Restriction Policy,Windows AppLocker (enable DLL)Personal firewall with process and connection blockingBlock outbound SMB on corporate firewallBl k tb d W bDAV t fi llBlock outbound WebDAV on corporate firewallLimit internal SMB, WebDAV trafficRestrict write access on file repositoriesest ct w te access o le epos to esto prevent planting
http://www.binaryplanting.com/guidelinesAdministrators.htm
![Page 45: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/45.jpg)
APPLY!Recommendations for Users
Be careful when using USB sticks, CDs, DVDsfrom unknown sourcesfrom unknown sourcesThink before double-clicking on anythingpresented to youIf in doubt, transfer the data file (alone)to local drive and open itAlert your administrators about binary plantingAlert your administrators about binary planting
![Page 46: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/46.jpg)
Resources
www.binaryplanting.comblog.acrossecurity.com
http://support.microsoft.com/kb/2264107http://support.microsoft.com/kb/2264107http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
http://blog.metasploit.com/2010/08/better-faster-stronger.htmlhttp://securityxploded.com/dllhijackauditor.phpp y p j p p
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
http://secunia.com/advisories/windows_insecure_library_loading/p _ _ y_ g
Google “binary planting”, “dll hijacking”, “dll preloading”
![Page 47: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/47.jpg)
Public Binary Planting Toolsy g
DLLHijackAuditKit
![Page 48: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/48.jpg)
www binaryplanting com/test htmwww.binaryplanting.com/test.htm
Mitja Kolsek
ACROS d.o.o.ACROS d.o.o.www.acrossecurity.com
![Page 49: Remote Binary Planting yg - ACROS Security · 2017. 4. 21. · Remote Binary Planting Mitja Kolsek yg An Overlooked Vulnerability Affair ACROS d.o.o. Session ID: HT2-401 Session Classification:](https://reader036.vdocuments.site/reader036/viewer/2022071216/6047150f95a4fb4696608d74/html5/thumbnails/49.jpg)
BP-Positive vs. CWD-Addicted