Archive for April, 2009

April 2009 Patch Day – Spring Cleaning

A slew of Microsoft updates this month – Eight bulletins released: 5 Critical, 2 Important, and 1 Moderate. While eight patches is a larger number than in recent months, this month’s release includes fixes for a number of issues that Microsoft previously identified as too laborious\complex to fix. This includes fixes for the Safari Carpet Bombing and SearchPath issues, additional enhancements for credential reflection (ala SMBRelay fix in MS08-068), and Service Isolation issues as called out at a 2008 security conference.

Microsoft had previously stated that each of these issues were either too complex to solve or didn’t represent actual vulnerabilities. It’s enlightening to see that they’ve taken a second look at each of these topics and have found solutions to address each. In probably their most ambitious patch to date, Microsoft even pulled developers off of Windows 7 to assist with the creation of the MS09-012 patch (discussed below). We can only hope that Microsoft continues in this vein and re-examines other parts of the Operating System that were thought too complex to fix. Gory details below…

Microsoft knocked off patches MS09-009 and MS09-010 for several outstanding 0-day issues, including fixes for Excel (advisory 968272 from February 09) and WordPad\Office (advisory 960906 from December 08). Users should install these patches right away because exploits for these issues have been circulating on the Internet for several months.

On to the good stuff:

1. Starting with the Carpet Bombing fixes: Microsoft has released two patches to deal with this issue – an IE patch and an OS patch. MS09-014 is a cumulative IE patch that addresses 6 vulnerabilities – one of these being the carpet bomb fix. In this scenario, an attacker would force an evil file down to a user’s desktop (through the initial release of the Apple Safari web browser). The evil file would be assigned a specific name – one that happened to match a normal Operating System file. When the user later opened Internet Explorer, IE would execute the evil ‘system’ file from the desktop rather than the similarly named (legitimate) file from system directory.

MS09-014 solves this issue by removing the current working directory (in this case, the desktop) from the search path. When IE is launched, it will now look in the system path for the proper file rather than loading the illegitimate file from the desktop.

The IE fix was accomplished by modifying two of the IE DLLs so that they don’t look in the current working directory first (when loading other app DLLs). While this fix only modifies Internet Explorer, Microsoft exposed a registry key that users can modify if they want to make all of their applications ignore the current working directory: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\Main\FeatureControl\ [FEATURE_ENABLESEARCHPATH_KB963027] “iexplore.exe”=dword:00000000 (spaces added in front of ‘Internet’ and ‘FEATURE’ to make for easier display – remove these spaces before setting this registry key)

The second fix for the carpet bombing issue was released in MS09-015, an OS patch for XP and later systems. This patch does two things: 1. It modifies one system DLL (secur32.dll) that incorrectly searched for schannel.dll in the current working directory, and 2. It introduces a new API function that application developers can use in their code to use safe search functions. Those APIs are SetDllDirectory which removes current working directory from DLL loading, and SetSearchPathMode, which moves current working directory to the end of the directories searched by the SearchPath API.

2. The second issue addressed this month (and also requiring installation of two patches) address more avenues for credential reflection. Credential reflection was first addressed in MS08-068. That bulletin addressed a scenario where opening a malicious email or document, or viewing an evil website would send encrypted versions of your credentials (username and password) to the attacker. The attacker could then turn these around and ‘replay’ the encrypted credentials to gain access to your computer. The MS08-068 patch addressed this issue when the attack vector was using the SMB protocol. MS09-013 is an Operating System patch that solves the same problem but is specific for the winhttp connection engine (using http protocol). MS09-014 is the Internet Explorer patch (previously referenced re: the carpet bombing fix) that also includes a fix for the credentials reflection issue, but this time when using wininet (http protocol) as the underlying connection engine when IE is used for establishing authentication.

In both credential reflection attacks, the attacker needs to have SMB access to the target system. The SMB access enables them to mount the registry and file system. Since the SMB protocol (tcp 139 ot tcp 445) is usually blocked at the Internet gateway/firewall, these attacks are more prone to execution on an internal corporate network. The MS09-014 wininet attack vector is worrisome in this environment, as Internet Explorer is configured by default to present credentials to remote systems when browsing in the Intranet zone.

To prevent your machine from being mounted via a credential reflection attack, install MS08-068, MS09-013, and MS09-014. (This will prevent attack when your system was the one that originally sent credentials to the attacker. This will NOT prevent exploitation if matching credentials gathered from another system are reflected from that system to your system.)

3. The last, and most interesting patch, that I’ll mention is MS09-012. This patch addresses ‘Token Kidnapping’. Essentially, it helps prevent applications running as NetworkService or LocalService from escaping their sandboxes and running as LocalSystem. In short, it means ‘better protection for your web and SQL servers’.

Token Kidnapping is detailed in a new whitepaper by Cesar Cerrudo (http://www.argeniss.com/research/TokenKidnapping.pdf) and presented at last year’s Hack in the Box conference (April 2008). By using impersonation functions, these services can execute code under a different context – where LocalSystem is the preferred context (as this has super-admin permissions). As a result, code can be executed with administrative rights.

Any application that uses NetworkService or LocalService (and SeImpersonate) is susceptible to this attack. The most common attack vectors include IIS servers and SQL Servers. IIS 6 and 7 servers run under the NetworkService context and enable FullTrust to .NET applications by default, making it an ideal candidate for this kind of attack.

This becomes a concern when we look at web servers where users are allowed to upload code to the server. The most common scenario is a multi-tenant webserver where an ISP is running websites for multiple customers on the same Server. Each customer is allowed to upload their web pages to their own website. If the customer uploads a specially crafted .aspx page, when that page is viewed – the .aspx page executes code as LocalSystem on the server. This can give the customer administrative access to the entire webserver – for example: allowing them access to all the websites on that server – not just their own site. From here, the customer (hacker) can access backend SQL databases or sensitive information, upload backdoors to the server, connect to other servers on the inside of ISP network, etc. Not good.

Microsoft expended a great deal of effort in correcting this issue – even pulling developers off of Windows 7 to assist with this patch. Certain parts of the fix were backported from Vista and Windows Server 2008 (tokens) while brand new code had to be written for all Operating Systems (XP through 2008). As a result of the effort, the MS09-012 patch provides Service Isolation that mitigates the attacks identified by Cesar Cerrudo.

Shavlik’s recommended order of installation:
Client systems:

  1. MS09-009
  2. MS09-010
  3. MS09-014
  4. MS09-011
  5. MS09-013
  6. MS09-012 (if running IIS or SQL)
  7. MS09-015

Server Systems:

  1. Follow recommendations for client systems, plus
  2. if hosting SQL Services or IIS web services where users can upload code to these systems, install MS09-012 as soon as possible
  3. install MS09-016 as soon as possible for ISA servers

Leave a comment »