Re: [Full-disclosure] verizon vs m$

[Ven Ted <v3nt3d@xxxxxxxxxxxxxx>]

>From the white paper:

Once the initial remote exploit has been used to execute arbitrary code at
low integrity on the client, the payload can create a web server listening
on any port on the loopback interface, even as a limited user at low
integrity. The web server should be able to serve-up the original exploit
that allowed remote exploitation in the first instance. Since the exploit
will now be launched from the same machine, exploitation can be made
significantly more reliable as Address Space Layout Randomisation (ASLR) is
no longer effective and other exploitation techniques can be used with
higher probabilities of success.

The browser can be instructed to navigate to this new malicious web server
using the IELaunchUrl() function, which is callable from low integrity as
part of the Protected Mode API. This will cause a new tab to be launched
which will navigate to "http://localhost/exploit.html"; or similar.

The new malicious web page will be rendered in the Local Intranet Zone and
the rendering process will now be executing at medium integrity. By
exploiting the same vulnerability a second time, arbitrary code execution
can now be achieved as the same user at medium integrity. This provides full
access to the user’s account and allows malware to be persisted on the
client, something which was not possible from low integrity whilst in
Protected Mode.


On Mon, Dec 6, 2010 at 1:49 AM, Thor (Hammer of God)
<thor@xxxxxxxxxxxxxxx>wrote:

> I don't understand how Dan arrived at "Researchers bypass Internet Explorer
> Protected Mode" for the article title.  Protected Mode isn't being bypassed
> at all - the "researchers that figured out a reliable way to bypass the
> measure" apparently just noticed that Protected Mode is disabled by default
> in the Local Intranet Zone.
>
> Is this something you are concerned about?  This would obviously only be
> exploitable by accessing sites on one's own intranet by specifically using
> intranet nomenclature (and trusted sites, but the user has to add those).
>  Also, the article (or the researchers) are incorrect about the default
> settings for the Intranet zone - it's Medium-low, not Medium.   If the
> problem one is trying to fix is based on attackers compromising intranet
> sites and then posting code for unpatched vulnerabilities that would still
> end up only running in the user context, then you've got much bigger
> problems, no?
>
> I'm just wondering why you are brining attention to the article, or really,
> why it was written in the first place.
>
> t
>
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:
> full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Georgi Guninski
> Sent: Sunday, December 05, 2010 1:26 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] verizon vs m$
>
> in a world like this, verizon kills exploder bugs:
>
> http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/
>
> http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf
>
> the language doesn't seem passionate:
> -----
> Finally, Microsoft and other software vendors should clearly document which
> features do and do not have associated security claims. Clearly stating
> which features make security claims, and which do not, will allow informed
> decisions to be made on IT security issues.
> -----
>
> lol
>
> --
> joro
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/