Binary Planting Home > Attack Vectors

Binary Planting - Attack Vectors

IMPORTANT: This project has fulfilled its life mission by drawing attention to a class of remotely exploitable vulnerabilities that was previously not well known - especially among developers, where it really counts. Hundreds of widely used products by leading software vendors have been fixed and are now less likely to become vulnerable again, and Microsoft has implemented changes in the behavior of Windows applications that, if employed, make attacks more difficult. We don't expect any significant developments to occur in this area any more and have thus closed the public section of this research. The web site will remain live to keep links from other sites working and because information provided here remains useful for those looking for vulnerabilities as well as those trying to avoid creating them.

(go directly to demonstrations)

One of the most practical ways to mount a Binary Planting attack is to lure a user to a remote shared folder (hosting enticing data files and one or more malicious binaries), possibly without triggering any security warnings. The table below shows the feasibility of various attack delivery methods and the number of security warnings triggered by each one of them. (Methods triggering no warnings are marked in red.)
Note that there's nothing wrong with the way the listed applications behave, even if they issue no warnings: letting users open a remote share via a hyperlink can be a very useful functionality and should not, by itself, pose any threat. The table does, therefore, not show flaws in individual applications but the feasibility of delivering binary planting attacks through them.

(read the commentary on our blog)

Attack Vector	Windows XP 67% market share*	Windows Vista 15.5% market share*		Windows 7 17.5% market share*
Protected Mode ON	Protected Mode OFF	Protected Mode ON	Protected Mode OFF
Internet Explorer 6 (link on web page) 16% market share*	no warning	N/A	N/A	N/A	N/A
Internet Explorer 7 (link on web page) 21% market share*	no warning	warning	no warning	N/A	N/A
Internet Explorer 8 (link on web page) 28% market share*	no warning	warning	no warning	warning	no warning
Mozilla Firefox (link on web page) 23% market share*	not working	not working	not working	not working	not working
Google Chrome (link on web page) 8% market share*	not working	not working	not working	not working	not working
Google Chrome (download clickjacking) 8% market share*	no warning	no warning	no warning	no warning	no warning
Apple Safari (link on web page) 5% market share*	not working	not working	not working	not working	not working
Apple Safari (web page sent via e-mail, Safari default browser) 5% market share*	no warning	no warning	no warning	no warning	no warning
Opera (link on web page) 2% market share*	not working	not working	not working	not working	not working
Outlook Express (link in e-mail)	no warning (IE default browser)	warning (IE default browser)	no warning (IE default browser)	warning (IE default browser)	no warning (IE default browser)
Outlook Express (link in e-mail)	not working (other default browser)	not working (other default browser)	not working (other default browser)	not working (other default browser)	not working (other default browser)
Outlook 2003 (link in e-mail)	no warning	not tested	not tested	not tested	not tested
Outlook 2007 (link in e-mail)	not tested	no warning	no warning	no warning	no warning
Outlook 2010 (link in e-mail)	no warning	not tested	not tested	not tested	not tested
Windows Mail (link in e-mail)	N/A	no warning	no warning	N/A	N/A
Windows Live Mail (link in e-mail)	no warning	no warning	no warning	no warning	no warning
Mozilla Thunderbird (link in e-mail)	no warning (IE default browser)	warning (IE default browser)	no warning (IE default browser)	warning (IE default browser)	no warning (IE default browser)
Mozilla Thunderbird (link in e-mail)	not working (other default browser)	not working (other default browser)	not working (other default browser)	not working (other default browser)	not working (other default browser)
Microsoft Word 2003 (link in DOC file)	no warning	not tested	not tested	not tested	not tested
Microsoft Word 2007 (link in DOC file)	not tested	no warning	no warning	no warning	no warning
Microsoft Word 2010 (link in DOC file)	warning	not tested	not tested	not tested	not tested
Microsoft Excel 2003 (link in XLS file)	no warning	not tested	not tested	not tested	not tested
Microsoft Excel 2007 (link in XLS file)	not tested	no warning	no warning	no warning	no warning
Microsoft Excel 2010 (link in XLS file)	warning	not tested	not tested	not tested	not tested
Adobe Reader (link in PDF file)	warning	two warnings	warning	two warnings	warning
OpenOffice Writer (link in ODT file)	no warning	no warning	no warning	no warning	no warning
Skype (link in message)	no warning	no warning	no warning	no warning	no warning
Windows Messenger (redirection link in message)	no warning	not tested	not tested	not tested	not tested
Windows Live Messenger (redirection link in message)	no warning	not tested	not tested	not tested	not tested

* Market share data obtained from http://www.netapplications.com/ on September 20, 2010. O/S market shares were normalized for Windows versions only (i.e., if Windows XP represents 61% of all O/S, it represents 67% of all Windows O/S).

Key

"no warning" - remote shared folder is opened without any warnings displayed to the user
"one warning" - user must confirm a warning (in most cases the Protected Mode security warning) to get to a remote shared folder
"two warnings" - user must first confirm Adobe Reader's warning and also the Protected Mode warning to get to a remote shared folder
"N/A" - the product does not work on this platform
"(link on web page)" - user browses to a web page on the Internet; the page either offers a link to a remote shared folder or automatically opens it
"(download clickjacking)" - user is tricked into unwittingly downloading a malicious DLL as shown here and demonstrated here by Aviv Raff
"(link in e-mail)" - user gets an e-mail containing a hyperlink to a remote shared folder and clicks on it, which opens a remote shared folder
"(web page sent via e-mail, Safari default browser)" - user gets an e-mail with attached HTML document; opening the attachment in Safari - being the default web browser - results in automatic opening of a remote shared folder
"(link in ... file)" - user gets a document file via e-mail, IM, or downloads it from a web site, then opens it and clicks on the link provided within
"(link in message)" - user gets a message containing a hyperlink to a remote shared folder and clicks on it, which opens a remote shared folder
"(redirection link in message)" - user gets a message containing a hyperlink to a web page; clicking on it opens the page in the default browser, and the page redirects to a remote shared folder
"(IE default browser)" - Internet Explorer is set as the default web browser
"(other default browser)" - Mozilla Forefox, Google Chrome, Apple Safari or Opera is set as the default web browser (we didn't test with any other browsers)

Demonstrations

(Notes: Any demonstration that results in Windows Explorer displaying the content of the remote shared folder can be used in an attack against your computer. It can take 15 seconds or more for Windows Explorer to open the remote shared folder after you click on a link.)

1) Internet Explorer: Link to remote shared folder

With Internet Explorer, click on the following link to open a remote share: REMOTE SHARE.

(Update: sometime between April 2011 and August 2011, Internet Explorer started blocking "file://" links from "http://" sites, so clicking on the above link should not work in IE any more. More details here.)

2) All e-mail clients: E-mail with link to remote shared folder

Enter your e-mail address and click "Send". When you receive the e-mail, click on the provided link to open a remote share. (Note that this may depend on your default web browser or, in case you're using web mail, the browser you're using for this.)
3) All e-mail clients: E-mail with link to redirection to remote shared folder

Enter your e-mail address and click "Send". When you receive the e-mail, click on the provided link to open a remote share. (Note that this may depend on your default web browser or, in case you're using web mail, the browser you're using for this.)
4) Safari: Local HTML file with link to remote shared folder

Download binary_planting_sample_safari.html with Safari: right-click on this link and select "Download Linked File". When the file is downloaded, double-click it in the Downloads window: this opens the file in Safari - but from a local drive - which makes it possible for the HTML to redirect to a remote shared folder. To verify this in a relistic attack scenario, e-mail this file to yourself, then open it from the received e-mail with Safari as the default web browser.

5) Various documents containing links to remote shared folder

Download these files and open them on your computer, then click on the provided links to see if you're taken to the remote shared folder.

Microsoft Word: binary_planting_sample.doc
Microsoft Excel: binary_planting_sample.xls
Adobe Reader: binary_planting_sample.pdf
OpenOffice Writer: binary_planting_sample.odt
Outlook: binary_planting_sample.msg
Outlook Express and Mozilla Thunderbird: binary_planting_sample.eml

Notes on Protected Mode

Internet Explorer 7 and 8 provide additional security against opening a remote shared folder through the Protected Mode, which is enabled by default but is only available on Windows Vista and Windows 7 (a 33% combined Windows market share). Clicking a link to a remote shared folder in IE7 or IE8 on Windows Vista and Windows 7 will result in a security warning that has to be confirmed by the user in order to launch Windows Explorer for displaying the content of the remote share. There are exceptions, though, where there will be no such warning:

Protected Mode can be manually disabled;
Protected Mode is automatically turned off if you run Internet Explorer as administrator via the "Run as administrator" menu option;
Protected Mode is automatically turned off when User Account Control (UAC) is turned off;
the warning dialog has been previously turned off for launching Windows Explorer (this may be the case with users who regularly open shared folders from IE and have disabled this warning.).

Notes on Internet Explorer

Internet Explorer 6 can only exist on Windows XP and older Windows versions. It does not feature the Protected Mode. Clicking a link to a remote shared folder in IE6 will result in launching Windows Explorer, which will display the content of the remote share. No security warnings will be presented by IE6.

Internet Explorer 7 and 8 support the Protected Mode on Windows Vista and Windows 7. Clicking a link to a remote shared folder in these browsers on Windows Vista and Windows 7 will in most cases result in a security warning that has to be confirmed by the user in order to launch Windows Explorer for displaying the content of the remote share.

Notes on Mozilla Firefox

Firefox allows the user to browse remote shared folders inside the browser, without using Windows Explorer. When a user clicks on a file, Firefox asks him to select the application to open the file with, or to save it. Even if an application is selected and launched, this application's current working directory is not set to the remote location and will thus not load remote binaries.

Notes on Google Chrome

Chrome allows the user to browse remote shared folders inside the browser, without using Windows Explorer. When a user clicks on a non-executable file, Chrome downloads the file to the Downloads folder. Once downloaded, the file can be opened by clicking on it in the download bar, and the current working directory of the application opening the file is set to the Downloads folder. This makes at least local binary planting possible, but the malicious binary must also exist in the Downloads directory. So if the user is tricked into downloading the malicious binary before opening the data file, an attack can succeed, but Chrome does warn you about downloading an executable file such as a DLL or an EXE.

Note that a proof of concept has been made using clickjacking for executing a DLL planting attack. Watch the video and try out the demo page with Chrome.

Notes on Apple Safari

Safari offers limited support for opening hyperlinks to remote shared folders, although there is little official documentation available. Our tests show that the latest Safari version (5.0.2) is willing to open a remote shared folder in Windows Explorer if the originating web page comes from a local drive, while a remote web page fails to do the same. This opens up an opportunity for e-mail based attack, where the attacker attaches an HTML file to her message, and opening this attached HTML file opens its temporary local copy in Safari. Since this is a local HTML file, it can redirect to a remote shared folder.

Notes on Outlook Express

Outlook Express can only exist on Windows XP and older Windows versions. It provides clickable hyperlinks in e-mail messages it displays. Clicking a link to a remote shared folder in a received e-mail will open this link in your default web browser. In case your default browser is Internet Explorer, it will automatically launch Windows Explorer and display the content of the remote share. If your default browser is Firefox, Chrome, Safari or Opera, Windows Explorer will not get launched. In addition, your Internet Explorer might display a security warning due to the Protected Mode; this depends on the versions of both Internet Explorer and Windows, making this attack scenario equally feasible to clicking a link to a remote shared folder in Internet Explorer.

Notes on Microsoft Outlook

All tested Outlook versions (2003, 2007 and 2010) provide clickable hyperlinks in e-mail messages they display. Clicking a link to a remote shared folder in a received e-mail will launch Windows Explorer and display the content of the remote share. This works regardless of your default web browser setting.

Notes on Windows Mail

Windows Mail only exists on Windows Vista. It provides clickable hyperlinks in e-mail messages it displays. Clicking a link to a remote shared folder in a received e-mail will launch Windows Explorer and display the content of the remote share. This works regardless of your default web browser setting.

Notes on Windows Live Mail

Windows Live Mail provides clickable hyperlinks in e-mail messages it displays. Clicking a link to a remote shared folder in a received e-mail will launch Windows Explorer and display the content of the remote share. This works regardless of your default web browser setting.

Notes on Mozilla Thunderbird

Mozilla Thunderbird provides clickable hyperlinks in e-mail messages it displays. Clicking a link opens it in the default web browser. In case the default web browser is Internet Explorer, clicking on a link to a remote shared folder will launch Windows Explorer and display the shared folder's content. (In addition, your Internet Explorer might display a security warning due to Protected Mode). If the default browser is either Firefox, Chrome, Opera or Safari, the remote shared folder will not get opened. We're assuming most Thunderbird users don't have Internet Explorer as their default web browser.

Notes on Microsoft Word and Excel

Microsoft Word and Excel provide clickable hyperlinks in the documents. Clicking a link to a remote shared folder in Excel or Ctrl-clicking it in Word will launch Windows Explorer and display the content of the remote share. This works regardless of your default web browser setting. Word 2010 and Excel 2010, however, display documents originating from the Internet or received via email (with Outlook) in the Protected View; opening any hyperlink in this view requires the user to confirm a security warning.