FindADetour1.jpg

Today’s Microsoft September Patch Tuesday includes a patch to what they had tagged as a fix for Microsoft Office. Behind the scenes, however, that fix extends beyond Microsoft Office to hundreds of applications developed by Microsoft as well as hundreds of other software vendors. Accordingly, this fix affects millions of users – from those running Office to virtualization programs and security tools.

We have notified Microsoft of this vulnerability 6 months ago. Accompanying today’s patch, we’re now releasing a tool for the public that tests whether applications that rely on Detours are updated to include the latest fix.

Vulnerability Background

The vulnerability behind Microsoft’s Office fix, MS-2016-0137, lies in Microsoft’s commercial hooking engine named Detours.

“Hooking” techniques enable products to monitor and/ or change the behavior of operating system functions. That’s why it is used by products that do virtualization, sandboxing, performance monitoring, and is particularly critical for the functioning of security products.

Vulnerabilities in hooking techniques may allow an attacker to easily bypass the operating system and 3rd party exploit mitigations. This means an attack may be able to easily leverage and exploit these vulnerabilities that would otherwise be very difficult, or even impossible, to weaponize. They may even allow the attacker to stay undetected on the victim’s machine or to inject code into any process in the system.

Impacted Products

Implementing the hooking technique is quite complex so for this reason many programs, instead of developing their own hooking mechanism, integrate a 3rd party hooking engine. Microsoft Detours is one such engine. In fact, it’s the most popular hooking engine, and to quote from Microsoft: “Under commercial release for over 10 years, Detours is licensed by over 100 ISVs [independent software vendors] and used within nearly every product team at Microsoft.”

So while Microsoft’s official statement is a fix for Microsoft Office, it is understandable that potentially hundreds of other non-Microsoft applications are vulnerable given their reliance on Microsoft.

Given the lengthy process from time of notification to the Microsoft patch release, we can imagine that Microsoft worked with their Detours’ customers so that these customers include updated Detours versions. On the customer side, once they had a fixed Detours version, it typically required re-compiling the product and delivering that updated product to their own customers.

FindADetour

Given the widespread usage of Detours across various applications and products, we created a tool, FindADetour, which tests whether applications on your device are vulnerable to MS-2016-0137.

FindADetour scans your system for applications/products that are vulnerable given that they rely on an unfixed Microsoft Detours.

You can download FindADetour from our Github repository - https://github.com/BreakingMalwareResearch/Captain-Hook

Running FindADetour

To use the tool simply double-click the executable, and wait while it scans the system.

Note that the tool scans only running processes so make sure to run the tool when applications such as Office, browsers, security tools, application monitoring tools, gaming applications, as well as any that you are suspicious of, are also open.

For best results make sure you run the tool as "Administrator".

The scan may take some time, but stopping it mid-way is possible with Ctrl+C. Whether the scan completed, or manually stopped, you will receive output similar to the below which lists out suspected vulnerable applications. In the below table, the tool displayed several vulnerable Office applications:

findadetour-results.png

 

 

 

 

 

 

Under the Hood of FindADetour

The tool guesses which product relies on Detours' (by tracing Detours' hooks), and then tests whether it uses the unpatched Detours' version.

Back to the example displayed above, the flaw resides in appvisvsubsystem32.dll which is a DLL that the App-V application (Microsoft's Virtual Application) injects into Office.

Recommended Next Steps

Typically, the name under "Suspicious DLL" will indicate the name of the vulnerable product relying on an unfixed Detours engine. In case such a vulnerable application was found in your environment we urge you to contact the affected vendor and demand a fix.

Other Hooking Vulnerabilities

Over the past year and a half we have revealed hooking vulnerabilities in more than 20 security applications.

A summary of the findings, as well as details behind the vulnerability appear in a previous blog post: http://blog.ensilo.com/intrusive-applications-6-security-to-watch-out-for-in-hooking

Additionally, we deep dived into our findings on hooking vulnerabilities at the latest Blackhat. The accompanying slide deck can be found here and the research paper on Github.

Learn How Security Tools Can Become an Attacker's Dream Come True