Category Archives: Living off the land

MUI Poisoning in practice

Posted on by

In my old post I discussed the idea of MUI poisoning. Today I want to show a practical example of this technique – one that has an interesting impact on incident response efforts.

Some security solutions rely on running local, native OS binaries to collect information from the system. Tool like netstat, ipconfig, etc. are executed on regular basis and data is collected and aggregated in some log repository.

These local tools often rely on MUI files and this is where we step in. By modifying the MUI files of selected tools one could force these tools to return complete garbage. For instance, the following example shows netstat.exe where its MUI was modified to always return a source IP where the destination IP would be listed. The change can be made using the old tool Resource Hacker:

Once we replace the MUI file, netstat.exe will return stuff like this:

This anti-forensic technique could be potentially expanded to cover every single piece of software that relies on external language files (let it be MUI, or anything else). As long as these format string patterns can be manipulated security software could be forced to present garbage output; for instance – malware alerts reporting wrong paths (e.g. hardcoded, non existing paths), or Windows Event logs reporting misleading information.

Beyond good ol’ Run key, Part 125

Posted on by

Update

Turns out @0gtweet posted about it in January and I missed that!!!

Old Post

Been awhile since I posted in this series, so here comes a new trick.

It is not your typical executable for sure, change.exe that is. When I looked at it for the first time I was perplexed — within first few lines of code it literally executes other executables. Must be something good I thought, and good it was indeed.

When launched, change.exe does something very strange – it enumerates Registry entries under this location:

  • HKLM\System\CurrentControlSet\Control\Terminal Server\Utilities\change

These entries are … interesting, because they look like some stringified flags followed by executable names. Possible abuse opportunity?

When you run ‘change /?’ you get the following help information:

CHANGE { LOGON | PORT | USER }

Do you see the pattern? — no? look at these Registry entries again.

In my first attempt I added ‘foo|0 1 NOTEPAD notepad.exe’:

I then ran ‘change notepad’ and … notepad executed.

Now, if you paid attention there are other registry keys listed on the first screenshot:

change -> change.exe 
query -> query.exe 
reset -> reset.exe

They all follow the same pattern and fetch command list from Registry!

So you can either add a new entry, or modify an existing one. Access rights are in place and the key is owned by TrustedInstaller, but… well… once on the box, always on the box.

Last, but not least – it’s a persistence mechanism and a LOLBIN in one.