Re: [Full-disclosure] verizon vs m$

["Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>]

Hi -

Yes, the whitepaper says that.  But it fails to mention that the code to create 
a web service on the machine is initially launched from the Internet Zone that 
is already in Protected Mode with Medium-High security options enabled by 
default.   Exactly how does this code get executed?  By popping some existing 
unpatched vulnerability?  To execute the code to run the web server form the 
existing vulnerability would require the code to run in the context of the 
local user anyway -leveraging an existing vulnerability in order to 
subsequently launch a second process from the Local Intranet zone in order to 
get THAT process to run in the context of the local user is an unnecessary and 
redundant process.   The subsequent malware they refer to that would "persist" 
on the box would, in most cases, require the user to be a local admin; well, 
for it to do anything of value anyway.  Yes, I am fully aware that some malware 
can be run as a normal user, but that is very rare.

Irrespective of that fact, this entire "vector" can be very easily described as 
"if you have an unpatched vulnerability on your system that is possible to 
exploit in protected mode with Medium-High security settings on your browser, 
then code can be run in the context of the local user."   I consider this a 
painfully obvious point, and continue to question its relevance in a business 
whitepaper, as well as why it is being discussed within the context of 
something that "bypasses Protected Mode" where you have to bypass protected 
mode in the first place to run the code to bypass Protected mode.

Guninski knows all this, or should know all this, so I'm wondering what his 
purpose was in referencing something with such a skewed and hyperbolic basis.  
As I normally pay attention to technical issues he presents, I'm confused as to 
what I'm missing, or if he just had a bad day or something.

t

From: Ven Ted [mailto:v3nt3d@xxxxxxxxxxxxxx]
Sent: Monday, December 06, 2010 11:28 AM
To: Thor (Hammer of God)
Cc: Georgi Guninski; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] verizon vs m$

>From the white paper:

Once the initial remote exploit has been used to execute arbitrary code at low 
integrity on the client, the payload can create a web server listening on any 
port on the loopback interface, even as a limited user at low integrity. The 
web server should be able to serve-up the original exploit that allowed remote 
exploitation in the first instance. Since the exploit will now be launched from 
the same machine, exploitation can be made significantly more reliable as 
Address Space Layout Randomisation (ASLR) is no longer effective and other 
exploitation techniques can be used with higher probabilities of success.

The browser can be instructed to navigate to this new malicious web server 
using the IELaunchUrl() function, which is callable from low integrity as part 
of the Protected Mode API. This will cause a new tab to be launched which will 
navigate to "http://localhost/exploit.html"; or similar.

The new malicious web page will be rendered in the Local Intranet Zone and the 
rendering process will now be executing at medium integrity. By exploiting the 
same vulnerability a second time, arbitrary code execution can now be achieved 
as the same user at medium integrity. This provides full access to the user's 
account and allows malware to be persisted on the client, something which was 
not possible from low integrity whilst in Protected Mode.


On Mon, Dec 6, 2010 at 1:49 AM, Thor (Hammer of God) 
<thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>> wrote:
I don't understand how Dan arrived at "Researchers bypass Internet Explorer 
Protected Mode" for the article title.  Protected Mode isn't being bypassed at 
all - the "researchers that figured out a reliable way to bypass the measure" 
apparently just noticed that Protected Mode is disabled by default in the Local 
Intranet Zone.

Is this something you are concerned about?  This would obviously only be 
exploitable by accessing sites on one's own intranet by specifically using 
intranet nomenclature (and trusted sites, but the user has to add those).  
Also, the article (or the researchers) are incorrect about the default settings 
for the Intranet zone - it's Medium-low, not Medium.   If the problem one is 
trying to fix is based on attackers compromising intranet sites and then 
posting code for unpatched vulnerabilities that would still end up only running 
in the user context, then you've got much bigger problems, no?

I'm just wondering why you are brining attention to the article, or really, why 
it was written in the first place.

t

-----Original Message-----
From: 
full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>]
 On Behalf Of Georgi Guninski
Sent: Sunday, December 05, 2010 1:26 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx<mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] verizon vs m$

in a world like this, verizon kills exploder bugs:

http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/
http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf

the language doesn't seem passionate:
-----
Finally, Microsoft and other software vendors should clearly document which 
features do and do not have associated security claims. Clearly stating which 
features make security claims, and which do not, will allow informed decisions 
to be made on IT security issues.
-----

lol

--
joro

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/