Microsoft .NET Framework strong name(SN)implementation 加密问题漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184626 漏洞类型 加密问题
发布时间 2008-11-17 更新时间 2008-11-17
CVE编号 CVE-2008-5100 CNNVD-ID CNNVD-200811-251
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/84743
https://cxsecurity.com/issue/WLB-2008110117
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200811-251
|漏洞详情
Microsoft.NETFramework是一个软件框架,可以运行在微软Windows操作系统的计算机上。它包括一个编码解决共同规划和虚拟机的管理框架以及编写的具体程序的大型运行库。Microsoft.NETFramework中的strongname(SN)implementation依赖于公共密钥数字签名的一个DLL文件路径名,而不是DLL文件本身,这使得攻击者更易于绕过全局程序集缓存(GAC)和代码访问安全(CAS)保护机制,又称MSRCticketMSRC8566gs。
|漏洞EXP

Paper Name
===========

.NET Framework Rootkits - Backdoors inside your Framework 
Author: Erez Metula?


Paper Description
=================

The paper introduces a new method that enables an attacker to change the .NET language, and to hide malicious code inside its core.
It covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper.

Paper Summary
============

Framework modification can be achieved by tampering with a Framework DLL and "pushing" it back into the Framework.
The process is composed of several steps, described thoroughly at the corresponding whitepaper.
It also exposes a flaw in the manner in which a .NET Framework DLL is loaded, and how it is possible to bypass its signature mechanism.
Instead of re-signing tampered DLL's with a spoofed Microsoft signature key - surprisingly, it was found during this research that the modified DLL can be directly copied to the correct location at the file system, because the SN mechanism does not check the actual signature of a loaded DLL but blindly loads the DLL based on the directory name with the corresponding signature name!
It is important to mention that this technique does not requires "full trust" permissions, which further proves the fact that the GAC / CAS protection mechanisms are broken.

This paper also introduces ".Net-Sploit" - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL.

You can find the detailed whitepaper, .NET-Sploit tool, source code, and the OWASP presentation at:
http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx
|受影响的产品
Microsoft .NET Framework 2.0.50727
|参考资料

来源:BUGTRAQ
名称:20081113NewWhitepaper-.NETFrameworkRootkits:BackdoorsinsideyourFramework
链接:http://www.securityfocus.com/archive/1/archive/1/498311/100/0/threaded
来源:MISC
链接:http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=ycIS1bewMBI%3d&tabid=161&mid=555
来源:MISC
链接:http://www.applicationsecurity.co.il/.NET-Framework-Rootkits.aspx
来源:SREASON
名称:4605
链接:http://securityreason.com/securityalert/4605