Detailed examples of two vulnerabilities in whitelisting software: SE46 (Cryptzone) and Application Control (McAfee) Jan 10 2013 01:45PM
Arne Vidström (arne vidstrom foi se)
Hi all,

The following vulnerabilities have not been reported at Bugtraq before, and unfortunately they seem to be largely unknown in public even though they are about a year old by now. They have both been patched by the vendors after I discovered them and reported it. It appears to be very hard (or perhaps impossible) to find anything about it at the vendors web sites though. Therefore I cannot tell you exactly which versions are patched and which ones are not, but any version released in 2012 should be ok. Since there haven't been many vulnerabilities reported in whitelisting software yet I thought it might be interesting for you with these two illustrative detailed examples:

The vulnerability in SE46 from Cryptzone:

"An EXE file starts with the letters 'MZ'. The first thing SE46 does is to look at these two bytes. If they are present it goes on to check for other things, like the PE header. If they are not present it takes a look at the extension of the file. If the extension is not BAT, CMD, COM or EXE it lets the file through for execution by Windows. How can we take advantage of this implementation? One way is if we have a file with native x86 code that does not start with the letters 'MZ' and does not have one of the four extensions. There is a kind of executable file that does not start with 'MZ' since it is completely headerless. It is the 16-bit COM file from MS-DOS. We can assemble any 16-bit COM file we wish and try to execute it. It will pass through the file header check, but it will be caught at the file extension check. All we need to do now is find an extension that Windows accepts as executable but which is not in the SE46 shortlist. PIF (Program Information File) is such an extension. Now we can run any 16-bit COM file just as long as we make sure it has a PIF extension. We can even let our executable rename a few core components of SE46 if we are running on a sufficiently privileged account. After the next reboot SE46 is no longer active on the computer and we can execute any file we wish without a single restriction."

The vulnerability in Application Control from McAfee:

"Application Control first of all checks if the file has a valid header, including the PE header, or not. If the header is not valid the file is let through to Windows for execution, presumably because it is assumed to be non-executable. This time, remember that the location of the PE header is specified at position 3Ch (hexadecimal) in an EXE file. The location is specified by a four byte long value, so that the positions 3Ch, 3Dh, 3Eh and 3Fh are used for this purpose. Now we create a file that is so small that it is missing the position 3Fh. This means that the file is really too small to be a PE-style file. Next, we set the legacy EXE header size to zero. Now it looks like the file is missing a legacy EXE header too. However, there is still the problem that the file ends with the extension EXE, so instead we change it to SCR (screensaver). If we execute such a file in Windows, without Application Control installed, it will execute despite all these problems. It will look like a legacy EXE file to Windows, and the execution will start from the very beginning of the file, with the letters 'MZ'. Fortunately these letters are in fact executable too, because when interpreted as machine code instead of as text, they mean something at least remotely comprehensible to the CPU. Next, the execution continues with the other items in the header. If we pick the right values for these we can make sure that the values are on the one hand executable, and on the other hand mean something as header values too. We also have more space following this, to the end of the file, where we can insert any code we like without worrying about what it means value-vise. Now we have a file which executes as a 16-bit legacy EXE file in Windows. If we run it in a system protected by Application Control it will execute whether it is in the whitelist database or not. Application Control finds the file invalid and simply passes it on to Windows for execution."

As I wrote in the beginning of the mail, both vulnerabilities have already been patched by the vendors.

Arne Vidström
Swedish Defence Research Agency (FOI)

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus