If at first you don't succeed; call it version 1.0
Sunday, 13 January 2008

Evasive attacks are everywhere. Malicious attackers are using methods like blocking multiple visits to an exploit, or serving specific exploits per browser, in order to minimize the detection of the attack by the security vendors.

Another way to evade an attack is patch detection. Why try to exploit a machine which has a patch for a vulnerability already installed?

This method can be easily implemented using known local file enumeration attacks. For example, in Internet Explorer, using the res protocol handler, it is possible to detect local files by loading local image resources, or by using timing attacks.

Most installed patches are saving an un-installation setup program. The path to this program is usually: "\WINDOWS\$NtUninstallKBXXX$\spuninst\spuninst.exe", where XXX is the knowledge base number of the patch.

So, for example, if an attacker would like to know if he should serve an exploit for the MDAC vulnerability, he can detect if the client has the MS06-014 patch installed. According to the MS bulletin, 911562 is the knowledge base number of this patch, so he can now check if the file "\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe" exists. If this file does not exist, he will then serve the exploit. If the patch does exist, he will not serve the exploit, and by that he will minimize the probability of being detected.

There are already proof-of-concepts for local file enumerations out there, so I see no reason for providing another one. As I've already mentioned, the PoC's can be easily modified to implement patch detection.


P.S. - Patch detection can also be used for legitimate causes. I encourage you all to download Secunia's PSI (Personal Software Inspector), and check whether you have an unpatched software installed on your machine. Although, now that there is a way to detect patches from remote, we might see an online version of PSI soon :)

Sunday, 13 January 2008 17:35:41 UTC | Comments [0] | Security#
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.