Re: [FD] Combining DLL hijacking with USB keyboard emulation

[Rodrigo Menezes]

While I agree that there is a lot you can do if you can plug a
malicious USB device into a computer and that you might not need
to take advantage of the DLL problem in order to successfully
complete the attack, my point is that it could help.

Consider that the attack could be carried out either by
convincing the user to plug in the USB device or by sneakly
plugging it into their computer while they're away. Therefore,
reducing the time it takes to complete and how much fuzz it
makes on the screen could be a great advantage in a lot of
situations.

In my own experiments, a payload that simply starts transfering
a DLL completes in about six seconds. You can unplug the device
in less time than that, right after it opens cmd and starts the
execution of the one line of commands. This is quicker than any
other I've seen before.

 On Sat, 09 Jan 2016 08:14:03 -0200  wrote  
 > On 2016-01-08 00:50:51 -0200, Rodrigo Menezes wrote: 
 >  
 >  > Many of us have now been long aware of the possibility of 
 >  > programming an USB device to emulate a keyboard and automatically 
 >  > send keystrokes in order to perform malicious actions on a 
 >  > computer. Some of the most interesting payloads that can be used 
 >  > with this technique are based around downloading or creating an 
 >  > executable file and then running it. 
 >  > I'd like to bring to light that this attack could be combined 
 >  > with DLL hijacking, with some benefits for the attacker. 
 >  > For instance, a payload which simply downloads a DLL to the 
 >  > current user's folder tends to complete faster and be more 
 >  > reliable than one which tries to transfer an executable 
 >  > AND immediately run it. The DLL would then most likely 
 >  > be found and executed by a vulnerable installer [...] This way, 
 >  > there would be no need for embeeding in the payload a complicated 
 >  > attempt of bypassing the active defense mechanisms. 
 >  
 > Once you can fool the user to plug the USB device, you don't need 
 > anything else. The device may appear as 
 > 1. A mass storage, and 
 > 2. A keyboard or any other HID, and 
 > 3. Some unknown hardware 
 >  
 > Once the W-ndows enumerates this hardware, it will try to find and 
 > automatically install drivers for it. With a mass storage and a 
 > keyboard it will succeed, thus immediately bringing them to use, 
 > and unknown hardware would bring up a "search for drivers" dialog, 
 > where the attacker may (after some delay) send keystrokes to choose 
 > "search removable devices for drivers". Obviously, the mass storage 
 > part of the USB device would contain suitable .inf file pointing to 
 > malicious binaries. 
 >  
 > The USB device capable of performing such attack may be as simple 
 > as ATtiny85 + 25Q64 chips (both are available in a 3*4 mm SOP8), 
 > with a total cost of 1 EUR. The 25Q64 offers 8 Mbyte of storage, 
 > which is well enough for almost anything. 
 >  
 >  
 > --  
 > Alexey V. Vissarionov aka Gremlin from Kremlin 
 > GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 
 >  
 > ___ 
 > Sent through the Full Disclosure mailing list 
 > https://nmap.org/mailman/listinfo/fulldisclosure 
 > Web Archives & RSS: http://seclists.org/fulldisclosure/ 
 > 



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Combining DLL hijacking with USB keyboard emulation based attacks

[Rodrigo Menezes]

Many of us have now been long aware of the possibility of programming an USB 
device to emulate a keyboard and automatically send keystrokes in order to 
perform malicious actions on a computer. Some of the most interesting payloads 
that can be used with this technique are based around downloading or creating 
an executable file and then running it.

However, defenses such as Windows' User Account Control (UAC) and SmartScreen 
might make this more complicated. While it's certainly possible to bypass them 
by sending the right sequence of keystrokes, they tend to make the payload 
longer, less stealthy and more likely to fail.

I'd like to bring to light that this attack could be combined with DLL 
hijacking, with some benefits for the attacker.

For instance, a payload which simply downloads a DLL to the current user's 
folder tends to complete faster and be more reliable than one which tries to 
transfer an executable AND immediately run it. The DLL would then most likely 
be found and executed by a vulnerable installer, such as described by this Matt 
Howard's thread from 2012 on this list 
http://seclists.org/fulldisclosure/2012/Aug/134; and brought up again by 
the more recent efforts of Stefan Kanthak 
http://seclists.org/fulldisclosure/2015/Nov/101;. This way, there would 
be no need for embeeding in the payload a complicated attempt of bypassing the 
active defense mechanisms.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/