Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

ShmooCon 2012: Raising The White Flag

9 Comments Posted by ChrisJohnRiley on January 28, 2012

Raising The White Flag

:: Bypassing Application White Listing

– Curt Shaffer and Chris Cuevas

NOTE: The video of this talk has now been made available over at the ShmooCon website.

More and more people are seeing application whitelisting in their environments. Despite what marketing people say, these solutions don’t stop APT and other advanced threats. This talk is designed to shine a light on the issues with whitelisting.

Whitelisting is often touted as a replacement for AV. Despite the fact that something better than AV is needed, application whitelisting isn’t the solution. Their purpose seems good, for the execution is lacking. Things are headed in the right direction, but using simple bypass techniques it’s possible to bypass these whitelisting protections.

The following application whitelisting tools were tested.

Bit9 Parity 6.0.0
McAfee Application Protection
Microsoft Applocker

Methodology

Windows File Protection
File Naming Fun
Iexpress packagng
Java Exploits/Malware
Flash Exploits/Malware
Adobe Exploits/Malware
JavaScript
VBA
Raw Shellcode
Powershell

Some other things were excluded due to time constraints (including HTML5, CD-ROM ISO masquerading, Digitally Signed Malware).

Bypassing Techniques Attempted

ActiveX
PDF attacks
- Spawning shell
Office documents
- VBscript Macros
Shellcodexec
- Inject shellcode into memory
JAVA
- Applet
- Exploit
JavaScript
- BeEF hook
- Firefox Extension
Powershell
- Run script by piping into powershell.exe
- DLL Injection
- Shellcode injection
- Chrome Extension
Man-in-the-Middle
- Sniff, modify, replay

This is all know. We’ve been pissing on AV for a long time. Time to piss on whitelisting as well.

Results

McAfee

Most things worked, except Windows File Protection and Iexpress.

Bit9

Inconsistent results with Windows File Protection, and again Iexpress failed. However everything else works.

What Worked

JavaScript

Injecting BeEF into a browser process

Windows Help Files

Compiled HTML, but needs a degree of social engineering to get people to click

Can run cmd.exe and game over

Office Documents

Lots of work in this area by Didier Stevens

Powershell

Powershell code injection into any 32bit or 64 bit

Powershell syringe

Man-in-theMiddle

Get between the client and server

ARP spoof, iptables redirect

It’s HTTPS, but it doesn’t check the cert

Enables you to drop level from enforce blocks to only alert

Self protection

Abilty to inject code into the actual whitelisting exe (in this case parity.exe of Bit9)

Bit9 deny this is an issue.

[ demo of shellcode exection within the Bit9 Notifier process ]

Metasploit module for this will be released to demo this.

Stopping this attack

To protect this on Bit9, go to the admin control panel and add memory rules to protect the notifier.exe process. The memory protection menu is only available in versions above 6.0.1.

Links:

Talk abstract –> HERE
(NEW) Further Information from the talk –> HERE
(NEW) Video of the talk –> HERE

Conference, Security Shmoocon, whitelisting

← ShmooCon 2012: Java backdoors and Cross Framework Abuse {book review} The Tangled Web →

9 responses to “ShmooCon 2012: Raising The White Flag”

Bit9 February 9, 2012 at 17:13
I am concerned about Bit9 and i need further information if available.
ChrisJohnRiley February 11, 2012 at 20:39
I would suggest contacting Bit9, or the speakers for further information… I’m afriad I don’t ahve anything beyond what was noted in the talk and written up on the blog!
ChrisJohnRiley February 13, 2012 at 15:56
I’ve added links to the Write-up by Foreground Security and the newly released video of the talk.

Apologies for those who found this quick set of notes unhelpful (wat0114)… feel free to attend the conference next time and write your own fucking notes!
Pingback: Why Malware Numbers Don’t Matter and What it Means for Security Accounting » ActiveResponse.org | ActiveResponse.org

RSS feed

RT @vtlynch: Mozilla now believes that StartCom purposefully backdated a SHA-1 certificate for a payment processing company (a flagrant vio… 4 hours ago
RT @vtlynch: Mozilla is planning to dis-trust new certificates issued by WoSign/StartCom. The CAs could be readmitted after 1yr https://t.c… 4 hours ago
RT @robertswiecki: UaF found by honggfuzz (with compile-time instrumentation of openssl) twitter.com/OpenSSLannounc… 4 hours ago
RT @aisamanra: Everyone knows K&R-style C and GNU-style C! But have you heard of these less-well-known C coding styles? https://t.co/XVzSOz… 5 hours ago
Been looking forward to this release for a while. Great work… much CSP… WOW! twitter.com/we1x/status/78… 6 hours ago
[SuggestedReading] Microsoft previews Project Springfield, a cloud-based bug detector ift.tt/2cwRHpv 7 hours ago

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!

Cатсн²² (in)sесuяitу / ChrisJohnRiley

ShmooCon 2012: Raising The White Flag

Raising The White Flag