Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / New Users / October 2006

Tip: Looking for answers? Try searching our database.

Why tampered Strong name assembly continue to work?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Leon - 16 Oct 2006 13:55 GMT
Hi,

I am always of the belief that once a strong name assembly is built, you
cannot modify it without invoking the verification failure on loading.

But the other day, a colleague of mine in the midst of getting something
done with the managed Directx library, Microsoft.DirectX.dll version
9.12.589.0, accidentally tripped the time bomb as Microsoft no longer
supporting this.

He could not stop what he was doing and found with the help of Lutz
Reflector the function
Microsoft.DirectX.InternalHelper.CheckTimeBomb()

and he changed the year using a binary editor from 2006 to 2518.

He ran his application and did not receive any TimeBombException and
obviously his hacked code works. But it begs the question how a strong name
assembly could be hacked in this manner without tripping the verification
check?

I ran sn -vf on the command line for the Microsoft.DirectX.dll and it failed
the verification. Here is the disassembled code of the function to show the
change:
.method public hidebysig static void CheckTimeBomb() cil managed
{
  .maxstack 4
  .locals (
     [0] [mscorlib]System.DateTime time1)
  L_0000: ldloca.s time1
  L_0002: ldc.i4 2518
  L_0007: ldc.i4.s 10
  L_0009: ldc.i4.5
  L_000a: call instance void [mscorlib]System.DateTime::.ctor(int32, int32,
int32)
....
}

Is this a security slip up? On a small demo I developed, any tampering of a
strong name assembly would fail the verification.

Any one has any idea why this works?

Thanks.

Leon
Reply to this Message
Andy - 16 Oct 2006 15:51 GMT
Is the assembly in the GAC?  I think that its only checked when the
assembly is copied into the GAC, but after that its assumed that the
assembly is fine.

Try this with your own assembly.

Andy

> Hi,
>
[quoted text clipped - 42 lines]
>
> Leon
Reply to this Message
Scott M. - 16 Oct 2006 17:54 GMT
Strong Name alone doesn't do it.  GAC registration is needed.

> Hi,
>
[quoted text clipped - 47 lines]
>
> Leon
Reply to this Message
Carl Daniel [VC++ MVP] - 16 Oct 2006 19:30 GMT
> Strong Name alone doesn't do it.  GAC registration is needed.

You've got it backwards.  Loading of an assembly from the GAC doesn't do
strong-name verification, while loading an assembly from anywhere else does.
If you modify the binary copy of an assembly in the GAC, strong-name
verification won't detect it.

See

http://msdn.microsoft.com/msdnmag/issues/06/07/CLRInsideOut/default.aspx

for a recent article on the subject.

-cd
Reply to this Message
Leon - 17 Oct 2006 01:19 GMT
Thanks for the information. It all makes good sense now.

Leon

> > Strong Name alone doesn't do it.  GAC registration is needed.
>
[quoted text clipped - 10 lines]
>
> -cd
Reply to this Message
Scott M. - 17 Oct 2006 01:57 GMT
I didn't say it did.  What I said was that you need a strong name to do a
GAC registration and the GAC registration is what will cause tampering to be
prevented.

>> Strong Name alone doesn't do it.  GAC registration is needed.
>
[quoted text clipped - 10 lines]
>
> -cd
Reply to this Message
Leon - 17 Oct 2006 04:20 GMT
If you use GacUtil.exe to install it into GAC, it prevents tampered strong
name assembly from installation.

But if you install a untampered one first, use dir /b /s in cmd to find the
directory of the strong name assembly and then use cmd's Copy to replace it
with the tampered one, it is as good as real one!!

Of course you need admin privilege to do all this replacement and
installation. In an LUA arrangement, the user is denies such privilege
operation.

Leon

> I didn't say it did.  What I said was that you need a strong name to do a
> GAC registration and the GAC registration is what will cause tampering to be
[quoted text clipped - 14 lines]
> >
> > -cd
Reply to this Message
Scott M. - 17 Oct 2006 04:28 GMT
> Of course you need admin privilege to do all this replacement and
> installation. In an LUA arrangement, the user is denies such privilege
> operation.

And thus, my point.
Reply to this Message
Leon - 17 Oct 2006 04:36 GMT
> Of course you need admin privilege to do all this replacement and
> installation. In an LUA arrangement, the user is denies such privilege
> operation.
>
>And thus, my point.
The sad part is that the majority of Win2K/XP users are operating with the
security turned off - including many developers - by running in Admin
account. All my machines, including my development machines, operate in LUA
and I am safe from this kind of hacking.

Have to wait for Vista!

Leon

> > Of course you need admin privilege to do all this replacement and
> > installation. In an LUA arrangement, the user is denies such privilege
> > operation.
>
> And thus, my point.
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.