ShimBad the Sailor

Posted on by

Application Shims have been extensively covered by security researchers – a very comprehensive overview of the available techniques was presented at BH2015 (PDF warning) by Sean Pierce (@secure_sean who also happens to host a page dedicated to the subject at https://sdb.tools/).

I wondered if we could look at shims from a slightly different perspective, and this post is about it.

What if…

…we didn’t change anything, didn’t add any new entries, no custom databases etc.

What if…

We analyzed the existing shims and identified some that could do some interesting things for us? We would then need to fulfill the conditions required for shim to be triggered, and voila… we could now do things via a covert channel – that is, shim engine could be doing the dirty deed and a casual observer would be none the wiser.

Demo time.

On Windows 7, AOL Instant Messenger can be loaded via aim.exe with following versioninfo properties:

  • CompanyName = America Online, Inc.
  • ProductName = AOL Instant Messenger

When system detects such program it applies a SHIM:

The shim loads a library rtvideo.dll.

I took a basic example from masm32 package and changed the properties of the file accordingly:

and then compiled, renamed to aim.exe and the phantom DLL was added to the program by the shim engine.

This is just a basic example of what is possible/available.

Some of the shims create files, rename them, modify stack, fake reading files, etc. etc. . This offers a gamut of possibilities that are worth considering from various perspectives:

  • anti-sandbox, anti-analysis tricks
  • capture the flag tricks
  • after building a repo of shim gadgets one could potentially deliver a lot of functionality by using dummy, non-malicious files ran in a proper sequence
    • copy files
    • patch bytes (<win10)
    • load DLLs
    • run executables
  • the example with aim.exe is truly fascinating as it represents a possibly novelty type of code injection: phantom sideloading
    • we sideload that DLL with a predetermined name w/o calling any obvious function inside the .exe
    • in the example I am using a custom aim.exe that is just quick & dirty piece of test code; one could potentially find that legitimate, original aim.exe and play with that
    • the latter could be potentially signed
    • and even better, could be not even directly referring to rtvideo.dll
    • as such, it could be a signed .exe phantom sideloading a DLL with a predetermined name — and in some cases becoming a potential phantom lolbin as well
  • persistence is there too to consider

Now, this might have sounded a bit rosy, but reality is that analysing shims is a bit of a pain & options they offer are still pretty limited. Yes, the number of really useful shims is pretty low, let alone these that could be meeting all the cool requirements I listed above… As such, defenders shouldn’t worry about this trick too much… Until this topic is explored a bit more 🙂

StackOverflown in practice…

Posted on by

We are so used to all the jokes about programmers re-using online code and copypasting stuff from StackOverflow all the time that we sometimes forget about a sad reality – lots of public code is being copied blindly, and ‘if it works’, it more than often makes it to a production level… yes… including code that is incorporated into release build and signed binaries.

This brings a lot of interesting side-effects:

  • signed binaries are often blindly trusted, so vulnerable code that makes it into a signed binary is a big bonus for researchers/attackers (follow hFireFOX and his kernel driver copypasta discoveries)
  • a code that uses a hardcoded set of crypto primitives will be vulnerable to the fact these primitives are out there and in public –> attackers can decrypt secrets faster
  • since the programmers who copypaste the code don’t know any better it often takes a lot of efforts for them (or their successors) to fix these issues

The main topic of this post is the item #2 on the above list:

– crypto primitives re-use.

After poking around en masse in a large number of ‘good; samples I discovered that many of these samples re-use the AES crypto routines that rely on the following two primitives:

  • IV: “OFRna73m*aze01xY”
  • Salt: “Kosher”

This is not a coincidence – you can find code instances that refer to this combo here. Programmers don’t know what to change in this code and they just embed it as it is. Bad and pretty big mistake.

There are many more examples like this and I may list them some time in the future.