Recon2012 - PREVIEW

Recon 2012

Igor Glücksmann
Day Day 1 - 2012-06-14
Room Grand Salon
Start time 13:00
Duration 01:00
ID 246

Injecting custom payload into signed Windows executables

Analysis of the CVE-2012-0151 vulnerability

A valid signature of a PE executable file doesn't always guarantee that the file hasn't been tampered with. The talk will explain the problem, show the vulnerable targets as well as their possible modifications, and discuss available fixes.

Digital signing of executable modules has become a de facto standard in mainstream software products on Microsoft Windows. A file's digital signature confirms that the file has really been created by the signer and its content has not been tampered with by any third party. The signature implies a certain level of trust - if you trust the company that created the file, you trust the file itself.

However, we discovered a way to modify certain classes of signed executables while keeping their digital signatures valid. It means that we can take a trusted signed application and inject our own payload that gets executed or installed when this application is run; this modified executable is still correctly signed by the original signer.

We have reported this vulnerability to Microsoft (CVE-2012-0151) and they have released a fix in April 2012. However, since the issue is not just a bug in Windows code, but also a design feature combined with bugs in third-party applications, the fix does not cover 100% of possible cases.

In my talk, I would like to present the technical aspects of the problem. I will describe how a signed executable can be modified, what the suitable/vulnerable candidates are, and what the released hotfix actually does. I will offer some advice for software developers on how to avoid creating applications which are vulnerable to this type of attack.