IE8 Successfully Exploited on Windows 7 64bit

[tntcoder]

Just thought this was worth posting here, as IE8 is very highly regarded for its security. It was successfully exploited, bypassing both ASLR & DEP at the Pwn2Own contest.

There has been a couple of successful attacks against these protections in the past year but considering how robust they have been, this is quite significant IMO. Will no doubt have some more holes punched in it shortly with better standardized exploitation techniques/research appearing.

Exploit paper detailing techniques is here for anyone interested, very interesting bypass of DEP, http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf

Been a bad week for browsers across the board

 

[MikeHunt79]

Been a bad week for browsers across the board

Has it? What bad news has there been about Safari, Chome and FF?

 

[goujon945]

Has it? What bad news has there been about Safari, Chome and FF?

FF and Safari were compromised too. AFAIK Chrome wasn't used in the 'competition'

 

[PaulM]

Has it? What bad news has there been about Safari, Chome and FF?

OSX + Safari fell before Win7+IE8, then Firefox fell shortly after.

 

[theheyes]

Nice. Still my browser of choice though.

 

[tntcoder]

Has it? What bad news has there been about Safari, Chome and FF?

Yer as above, and also the critical FF vulnerability that was promptly patched: http://www.mozilla.org/security/announce/2010/mfsa2010-08.html

 

[paradigm]

UAC not enabled however, which meant no IE Protected mode.

 

[theheyes]

UAC not enabled however, which meant no IE Protected mode.

Have we got a source on this? Undermines the whole test as far as I'm concerned if this is the case.

 

[mrk]

The German Government will splode their heads!

 

[tntcoder]

UAC not enabled however, which meant no IE Protected mode.

Hmm yer that's a good point, there is no mention of attacking protected mode. Still though, even a successful non-persistent exploit restricted to protected mode could do a fair bit of damage under the correct circumstances.

 

[Fire Wizard]

UAC not enabled however, which meant no IE Protected mode.

Have we got a source on this? Undermines the whole test as far as I'm concerned if this is the case.

It wouldn't have made a difference weather or not Internet Explorer 8 was running in Protected Mode or not. Pwn2Own considers a successful exploit if the attacker can read a file on the exploited machine. Internet Explorer Protected Mode does not have a No-Read-Up policy, only a No-Write-Up policy which means if you manage to exploit Internet Explorer, the attacker potentially has access to all of the users data.

As you experiment you’ll find that your actions are limited, but there are some design boundaries that you should be aware of. First, with the exception of processes and threads, the wall doesn’t block reads. That means that your low-IL command prompt or Protected Mode IE can read objects that your account (the standard-user version if you’re a member of the administrator’s group) can. This potentially includes a user’s documents and registry keys.

PsExec, User Account Control and Security Boundaries - Mark Russinovich

Also, whilst Internet Explorer Protected Mode makes it much more difficult for malware to be able to write to anywhere other than a few very specific locations and taking over an entire system, it is by no means a security boundary.

Even the ability of a process at low IL to manipulate objects of a higher IL isn’t necessarily prevented. Since processes running at different integrities are sharing the same desktop they share the same “session”. Each user logon results in a new session in which the processes of the user execute. The session also defines a local namespace through which the user’s processes can communicate via shared objects like synchronization objects and shared memory. That means that a process with a low IL could create a shared memory object (called a section or memory-mapped file) that it knows a higher IL process will open, and store data in the memory that causes the elevated process to execute arbitrary code if the elevated process doesn’t properly validate the data. That kind of escape, called a squatting attack, is sophisticated, requires the user to execute processes in a specific order and requires knowledge of the internal operation of an application that is susceptible to manipulation through shared objects.

However, let’s be clear that no matter how difficult to pull off, the mere possibility of such a breach of a sandbox wall implies that ILs, in and of themselves, do not define security boundaries. What’s a security boundary? It’s a wall through which code and data can’t pass without the authorization of a security policy. User accounts running in separate sessions are separated by a Windows security boundary, for example. One user should not be able to read or modify the data of another user, nor be able to cause other users to execute code, without the permission of the other user. If for some reason it was possible to bypass security policy, it would mean that there was a security bug in Windows (or third-party code that allows it).

PsExec, User Account Control and Security Boundaries - Mark Russinovich

Alternatively, malware could simply ask the user to let it out of low integrity. Mark Russinovich demonstrates this in his Windows Security Boundaries talk at around the 52 minute mark.

 

[anything I don't mind]

*cough*

yea i heard something about this

 

[theheyes]

It wouldn't have made a difference weather or not Internet Explorer 8 was running in Protected Mode or not.

That was bad phrasing on my part, I actually meant article. I'd still like to read the full disclosure if/when the guy releases it though.

 

[Hoodlum]

FF and Safari were compromised too. AFAIK Chrome wasn't used in the 'competition'

Found this:
The day one of Pwn2Own just got over and the results gave me a Déjà vu. Browsers started falling starting with Safari on Snow Leopard followed by Internet Explorer 8 and Firefox 3. The Safari hack was once again claimed by Charlie Miller, this time third year in a row. Peter Vreugdenhil broke into Internet Explorer 8 on Windows 7 and both the Safari and Internet Explorer attack were carried out through remote malicious codes.

Firefox 3 was hacked on a 64 bit Windows 7 by Nils, who happens to be a German CS student. He is also a familiar face who had successfully hacked Firefox, Safari and Internet Explorer at last year’s Pwn2Own.

In the midst of all this hacking and remote code execution, one browser which was left untouched was Google Chrome. Google Chrome was not even attempted to be hacked because of its sandboxed environment. Charlie Miller from last year’s Pwn2Own explains Google Chrome’s behavior saying,

"There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. They’ve got that sandbox model thats hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox."
Source

 

[theheyes]

Just thought I'd tack a bit on the end of this thread.

These are a few excerpts from an interview with Charlie Miller, the guy behind the successful Safari attack, that might be of interest. The full interview can be found at:

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

The site isn't that great though, and bits are lost in translation I think.

Windows 7 or Snow Leopard, which of these two commercial OS will be harder to hack and why?

Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default). Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows.

In Pwn2Own 2010 there is still no trace of Linux as possible target. Is it too harder to find exploits for Linux or a non commercial operating system has no interest for exploit hunters?

No, Linux is no harder, in fact probably easier, although some of this is dependent on the particular flavor of Linux you’re talking about. The organizers don’t choose to use Linux because not that many people use it on the desktop. The other thing is, the vulnerabilities are in the browsers, and mostly, the same browsers that run on Linux, run on Windows.

In your opinion, which is the safer combination OS+browser to use?

That’s a good question. Chrome or IE8 on Windows 7 with no Flash installed. There probably isn’t enough difference between the browsers to get worked up about. The main thing is not to install Flash!

The most interesting bit for me was "Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows." We'll just have to wait and see how effective these bypasses are.

 

[Richie]

So would I be correct in saying that, for now, the weak points for exploits isn't really the browser per se but is, instead, Flash ??

 

[theheyes]

Flash basically makes your browser a bigger target to hit because of the extra functionality it gives you. More functions means more complexity, and more complexity almost always means more room for errors to exploit. The problem is Adobe aren't that brilliant at patching holes, and is compounded by the fact that few people bother with updates for Flash and Adobe Reader. I suspect this is a big reason why Google have decided to bake a Flash player plugin directly into Chrome so they can keep it up to date.

The solution isn't really to not install Flash - love it or hate it, it's everywhere - but just be aware and keep it up to date as far as possible.