Back from Brussels, where I attended a ISSA/OWASP local chapter meeting tonight. As usual, it was very interesting! Thanks to the organizers! There was two presentations on the planning.
Didier Stevens explained why PDF files became so risky today! He started with a brief introduction about the PDF file format created by Adobe. Then, he enumerated several threats:
- Spam (quite old)
- Phishing (via Forms Data Format)
- Information disclosure
- Incremental updates
- Security features bypass
The second presentation was performed by Erez Metula, 2BSecure. He talked about .Net rootkits: with the help of several live demos, he showed to the attenders how it’s quite simple to change or add features in .Net DLLs (code reverse-engineering, adapt code, recompile, deploy the new DLL).
During the presentation, the way Microsoft handles DLL signature left me perplex… Indeed, .Net don’t check for a signature in the DLL itself, the signature is part of the directory like:
“b03f5f7f11d50a3a” is the DLL signature. If you overwirte the DLL inside this directory by a compromised one, .Net will not complain and just load it without extra checks! Here are examples of attacks that can be performed using functions change:
- Web push to a remote server (credentials, sensitive data, etc)
- Reverse shells
- Key stealing, fixed key generation, SecureString stealing
To perform this kind of attacks, you need administrative privileges! So, the classic attack path will be: compromise the server, get admin privileges, and then install the “bad” DLLs. A tool exists to automatically build rootkits: .net-Sploit. Conclusion: there is no bullet-proof method to avoid such rootkits. A good idea is to use Tripwire to detect changes made on system files but, assuming you run Tripwire once a day, it will only reduce the attack surface and not fully protect you!
Once again, a very nice evening, I learned a lot!