<<< Date Index >>>     <<< Thread Index >>>

RE: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer



Thanks a lot for everyone's comments and feedback on this disclosure. We
spent time on this old issue as it has an extremely high malicious targeted
attack capability and very easy to exploit.

After Jeremy's IE targeting file saving vulnerability was disclosed in
November 2003, we came across the idea to test whether it was possible to
hijack SSL on IE. Boom, it took us only one day to research and successfully
test the exploit code! That's the reason why we did not disclose it in
details. It is extremely easy to exploit. Just look into the SDK
documentation and everything is right there for you to exploit. What you
need to hijack SSL from IE is one function call from one DLL file. When we
tested it out, Windows OS (ACL was not considered then), IE and leading AV
software did not provide any kind of alert or alarm. The easiness to exploit
this weakness, and the failures at multiple layers to detect this intrusion
led us to categorize this as a serious problem.

This exploit is far more sinister and hidden than the quite obvious ones
used by phishing. Compared to keylogger spyware, this exploit is much more
targeted and efficient. Keylogger spyware returns high volumes of
information which need a lot of filtering to obtain useful information.
Alternatively, someone can gain a lot of confidential info from
"data-mining" raw data before SSL encryption. This exploit will turn the
so-called "secure" transactions into completely insecure ones.

When we disclosed this to Microsoft, we were told that this feature has
existed for more than ten years. We could not understand why Microsoft
cannot take some protective measures against this simple and easy exploit of
"DLL proxy" attacks if they have known of the potential risk of "DLL proxy"
or "DLL injection" for years. In light of wide-spreading MyDoom, the latest
disclosure from eEye and Microsoft’s subsequent patch announcement (04-007),
together with other vulnerabilities in other applications on Windows, don't
you think that the first line of defense against intrusion onto a PC for
normal users is almost not there?

When we dealt with Microsoft, Microsoft tried to push across the concept
that a malicious attack erasing a user’s hard drive is far worse that
obtaining access to information intended to be encrypted using SSL!? Only
protecting against the entrance of an attack is not enough to mitigate
against threats. By the way, they did not state "the program can DDoS ..".

When IE switches into https mode, it brings up the "security alert" dialog
(unless disabled)that states: "You are about to view pages over a secure
connection. Any information you exchange with this site cannot be viewed by
anyone else on the web.". Is that whistling in the dark? Don't you agree
that the alert should be modified a little bit?

We have to sing the same song posted by Marc Maiffret from eEye:
U can't trust this
U can't trust this ...
MyDoom'd zombies DDoS U
Ur SSL is so easy to break...
What else is left to be trustworthy?

Regards

Peter Huang
http://www.ossecurity.ca/