You are browsing the archive for Random ideas.

Messages From Beyond The Grave

April 6, 2019 in Random ideas, Silly, UAC Bypass

This is a silly idea that attempts to abuse one very specific class of Error Messages on Windows: the ones that show up when OS is unable to load a DLL or resolve an API function that an executable is relying on.

On Windows 10 we will see the message below if a DLL is missing (here: kernel3x.dll is missing):

Or this (for an API):

Earlier versions of Windows are a little bit more descriptive as they include a reference to an API as well – in this case a very long non-existing function name:

The longest API name I could use is 248 characters. That’s plenty.

These message boxes come in response to a call to a NtRaiseHardError function. When the ntdll.dll is starting new process it tries to load statically linked libraries and resolve all the functions one by one. If anything fails, the error is raised e.g.

  • 0xC0000135 STATUS_DLL_NOT_FOUND missing DLL
  • 0xC0000138 STATUS_ORDINAL_NOT_FOUND function imported by ordinal not found
  • 0xC0000139 STATUS_ENTRYPOINT_NOT_FOUND unresolved API function

Information about these hard errors is added to the Event Logs (Event ID 26 under System), which may come handy as a way to trace ‘failed processes’ e.g.:

Interestingly, all these error message boxes are actually ‘owned’ by the csrss.exe process – a very interesting target from an attacker’s perspective.

At this stage one can immediately note that:

  • the message relies on a data directly embedded inside a ‘corrupted’ file i.e. the input data is controlled by file developers and there doesn’t seem to be any input sanitation (but in fairness, why should there be one really?)
  • it means we can produce a file with long file name, placed in a location using a long path, using non-existing DLL name(s) and/or API names (248 characters) which in turn will appear in the message box in a way we planned. yup, we can control a big part of the message!
  • this may help to develop simple social engineering attacks
  • a more subtle implication of the above is that we could potentially inject _any_ code/data into csrss.exe process w/o raising any flag (while achieving a code execution is obviously much harder, having an ability to easily inject data into csrss.exe is a nice bonus); this could be abused in a number of ways e.g:
    • a very simple, yet naughty example could be a program using an EICAR as an API name; I have not tested it, but there is a dangerous possibility system could BSOD if AV decided to terminate the process with this string inside
    • misdirection / planting evidence e.g. IOCs of other campaigns, non-sensical URLs, etc. so that they can be found during memory inspection & act as a red herring for analysts

So… we have four ways (path, file name, DLL name, API) to influence that error message on Windows 7, and three on Windows 10 (path, file name, DLL name). With these we can deliver at least two variants of Social Engineering tricks:

  • By swapping an API name with a text of our choice we can attempt to persuade the user to do something they wouldn’t normally do. For example we could try to phish credentials:
  • Manual or ‘persuaded’ bypass of UAC

As long as we don’t close the error message it will continue to appear on the desktop. A funny side-effect (at least on Windows 10) is that it will often keep re-appearing on top of all windows, including the one shown by the UAC dialog box e.g.:

That is, if we run 2 programs where the first one is an intentionally corrupted .exe with our message of choice, and then the program that is requiring the UAC approval, we could overlap the UAC window with our message e.g:

All in all, not a big deal, just an interesting curiosity.

the art of staying ghidrated

March 10, 2019 in Preaching, Random ideas

Last few days were very exciting. The NSA folks released ghidra – a killer reversing app they use internally.

The software is great; I played with it for a bit, and like many other reversers shared some screenshots, and comments on Twitter. Over last few days I looked through many Twitter and blog posts referencing the tool, and it’s pretty obvious this is going to be a gamechanger.

It’s free, it’s feature-rich, it’s expandable, and it warms our heart every time it shows us cute ‘dragonian’ animations. And speaking of ‘draconian’, there is a lot of negative sentiment about eligibility rules, and a price tag that prevent non-corporate users from purchasing IDA License.

Having to choose free vs. unreachable, the choice is pretty obvious.

There is one thing though that I don’t see covered in posts that are focused on this exciting new toy. It is the mission.

(For the record, I am going to wear my tinfoil hat now.)

When it comes to a mission, organizations like NSA always have one. It is somehow bizarre that government orgs known for their secrecy release tools that are giving them an edge. GCHQ releases a CyberChef, NSA releases Ghidra. Should we expect more tools ? Released by DGSE, BND, and others?

The reason I am saying they are giving the respective orgs an edge is because these orgs rely on reversing a lot. They can obviously purchase exploits from brokers, intel from vendors, or access source code by any means necessary, but ultimately, they do have a special task group that is responsible for cracking stuff en masse. And ghidra’s architecture supporting collaboration makes a good case for a circumstantial evidence to support my hypothesis here.

I am curious what is the mission when it comes to ghidra. Only a fool would believe that a release like this is just for ‘the good of the <input your preferred good reason here>’.

I believe both CyberChef and Ghidra support missions that are pretty obvious:

  • PR – we are not that bad; we share with community; we advance the science of security/reversing/etc.
  • Recruitment – kinda PR-related, but if the goal is to find geek recruits who want to work at the respective agencies then this works pretty well; these are excellent, mature tools, youngsters can use them, learn from them (for free!), and eventually become experts in using them; at that stage they can enter the respective agency, and immediately jump on solving problems, saving lots of training time (in a similar manner large companies sponsoring labs at school train students to use the ‘sponsored’ tools which they will surely prefer to stick to, and purchase when they become decision makers in the future)

The other motives are not clear.

One that comes to my mind is an easy access to products of work of reversers who will surely jump on an occasion to add plugins, support new file formats, firmware modules, possibly in areas that are less mainstream.

Will such input create a snowball effect and give the agency access to resources that will improve the efficiency and reach of the tool, especially its internal version not shared with public?

I don’t think this is a very good mission per se, but I can easily imagine release being a product of someone’s annual objective to ‘enhance ghidra capability to e.g. triple number of supported firmware modules’. Open sourcing the software could be one attempt to achieve this objective with a minimal input, maybe a bit of social media manipulation could steer people towards cracking problems interesting from agency’s perspective?

Hard to say. Again, I don’t buy this idea of a mission too much, because management and quality check of such crowd-sourced code would probably require more work than actually writing your own modules, or gaining access to the source code.

I do describe the above mission for a reason tho. Because even if it is not a true mission, it may end up being one. And it leads to a question, and that is one that non-US reversers need to ask themselves. Will your work become a building block in enhancing the capabilities of the US foreign agency? Could it be that one day your parser, dumper, plug-in will allow that foreign agency to faster crack software of the router at your country’s ISP, or your IoT toys? One may argue that all our public research can serve such role, and it’s a fair point, but the important distinction is that by contributing to ghidra there is that direct link to the agency that makes the action a conscious decision, and may be seen as a direct contribution.

This is an open question. This is also non-judgmental question. It is potentially a legal question tho. And perhaps a moral one too.