New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework

To: <full-disclosure@xxxxxxxxxxxxxxxxx>, <websecurity@xxxxxxxxxxxxx>, <webappsec@xxxxxxxxxxxxxxxxx>, <dailydave@xxxxxxxxxxxxxxxxxxxxx>, <pen-test@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework
From: "Erez Metula" <erezmetula@xxxxxxxxxxxxxx>
Date: Thu, 13 Nov 2008 18:07:33 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AclFpYSEkSgYrRqdSV2F4AgfDROe+wAAEKJwAAAI/uAAABB6YAAAEEEgAAAd8gAAAKemEA==
Thread-topic: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework

Paper Name
===========

.NET Framework Rootkits - Backdoors inside your Framework 
Author: Erez Metulaׁ
 

Paper Description
=================

The paper introduces a new method that enables an attacker to change the .NET 
language, and to hide malicious code inside its core.
It covers various ways to develop rootkits for the .NET framework, so that 
every EXE/DLL that runs on a modified Framework will behave differently than 
what it's supposed to do. Code reviews will not detect backdoors installed 
inside the Framework since the payload is not in the code itself, but rather it 
is inside the Framework implementation. Writing Framework rootkits will enable 
the attacker to install a reverse shell inside the framework, to steal valuable 
information, to fixate encryption keys, disable security checks and to perform 
other nasty things as described in this paper. 



Paper Summary
============
 
Framework modification can be achieved by tampering with a Framework DLL and 
"pushing" it back into the Framework.
The process is composed of several steps, described thoroughly at the 
corresponding whitepaper.
It also exposes a flaw in the manner in which a .NET Framework DLL is loaded, 
and how it is possible to bypass its signature mechanism.
Instead of re-signing tampered DLL's with a spoofed Microsoft signature key - 
surprisingly, it was found during this research that the modified DLL can be 
directly copied to the correct location at the file system, because the SN 
mechanism does not check the actual signature of a loaded DLL but blindly loads 
the DLL based on the directory name with the corresponding signature name!
It is important to mention that this technique does not requires "full trust" 
permissions, which further proves the fact that the GAC / CAS protection 
mechanisms are broken.

This paper also introduces ".Net-Sploit" - a new tool for building MSIL 
rootkits that will enable the user to inject preloaded/custom payload to the 
Framework core DLL.

You can find the detailed whitepaper, .NET-Sploit tool, source code, and the 
OWASP presentation at:
http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx

Prev by Date: Digital Armaments October-November Hacking Challenge: Linux Local Kernel Exploit (5,000$)
Next by Date: Re: A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability
Previous by thread: Digital Armaments October-November Hacking Challenge: Linux Local Kernel Exploit (5,000$)
Next by thread: [ MDVSA-2008:228 ] mozilla-firefox
Index(es):
- Date
- Thread