SlideShare ist ein Scribd-Unternehmen logo

Blackhat EU 2011 - Practical Sandboxing

Als PPT, PDF herunterladen
T
Tom Keetch

An assessment of Internet Explorer, Adobe Reader and Google Chrome sandboxes. Presented at the BlackHat EU conference in 2011.

Software
1 von 48
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Practical Sandboxing on the Windows Platform An assessment of the Internet Explorer, Adobe Reader and Google Chrome sandboxes By Tom Keetch
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 About Me  Senior Consultant for Verizon Business' Threat & Vulnerability Practice  Technical Lead for Code Review in EMEA  Application Security Design Reviews  Manual Code Review  Static Analysis  My favourite topic is exploit mitigation!  Make finding and exploiting vulnerabilities prohibitively expensive.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Introduction  Practical Sandboxing  User-mode sandboxing methodology  Based on Windows OS facilities  Implementers  Protected Mode Internet Explorer (limited)  Adobe Reader X  Chromium  This presentation is about:  Breaking out of such Sandboxes with the minimum required effort.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Agenda • Sandboxes for exploit mitigation (Theory) • Overview of Practical Sandboxing Implementations (Background) • Sandboxing Flaws (Practical) • A counter-argument to Adobe’s view of the sandbox • Conclusions
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandboxes for Exploit Mitigation
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandboxes for exploit mitigation  Two options:  Increase cost of exploitation  Decrease target value  But a second stage exploit, can usually bypass the sandbox for finite cost...  This presentation focuses on sandbox-escape.  Read the whitepaper for more further information.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 “Return-on-Exploitation”
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Two Potential Failures 1) The cost of bypassing the exploit mitigation is too low to deter a potential attacker. (a) The target is still more valuable than the additional exploitation effort required. (b) The mitigation can be trivially bypassed. 1) The reduction of value of the target is not sufficient to deter a potential attacker. (a) The attacker is not interested in the resources protected by the mitigation. (b) Valuable assets are not protected by the mitigation.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Looking for “cheap” exploits  This research set out to find the easiest places to find sandbox-escape exploits.  Cheap-to-find exploit types were found:  Previously unexposed interfaces  Easily detectable (and exploitable) conditions  Also, resources not protected by sandbox:  Network Access  Resources protected by the Same Origin Policy.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Overview of Practical Sandbox Implementations
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 The Practical Sandboxing Methodology  Restricted Access token  Deny-only SIDs (Discretionary)  Low Integrity (Mandatory)  Privilege Stripping (Capability)  Job Object Restrictions  Window Station Isolation  Desktop Isolation
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 • Session • Workstation • Desktop • Medium Integrity • Low Integrity Browser Tab (Internet Zone) Browser Tab (Trusted Zone, Local Intranet Zone) Internet Explorer (Broker) Protected Mode Internet Explorer
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Protected Mode Internet Explorer Practical Sandboxing Check-list OS Control Implemented? Restricted Token - Restricted Token No - Privilege Stripping Yes - Low Integrity Yes Job Object Restrictions No Window Station Isolation No Desktop Isolation No
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Protected Mode Internet Explorer Sandboxing  Only supported on Vista and later, because only Integrity Levels are used.  Only protected the Integrity of the system, not confidentiality.  See my previous presentation from Hack.LU 2010  Not a Security Boundary, for many reasons.  Lots of potential elevation routes.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 • Session • Medium Integrity • (Workstation) • (Desktop) • Restricted Token • Low Integrity • Job Object PDF Renderer Adobe Reader (Broker) Adobe Reader X
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Adobe Reader X Practical Sandboxing Check-list OS Control Implemented? Restricted Token - Restricted Token Y - Privilege Stripping Y - Low Integrity Y Job Object Restrictions Partial Window Station Isolation N Desktop Isolation N
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Adobe Reader X Sandboxing  Makes use of Chromium sandboxing and IPC framework (BSD license)  The broker does not restrict read access.  Sandbox doesn't protect clipboard or Global Atom Table.  No WinSta or Desktop isolation, but compensated for with Job Object restrictions.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 • Session • Medium Integrity • Restricted Token • Low Integrity • Job Object Browser Tab Google Chrome (Broker) GPU Process Plug-in • Per plug-in sandboxing. Chromium
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Chromium Practical Sandboxing Check-list OS Control Implemented? Restricted Token - Restricted Token Yes* - Privilege Stripping Yes* - Low Integrity Yes* Job Object Restrictions Yes* Window Station Isolation Yes* Desktop Isolation Yes* *Currently renderer only.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Chromium sandboxing  A flexible framework for applying the full “practical sandboxing” methodology  Renderer is in the most restrictive possible sandbox.  3rd Party Plug-ins are not sandboxed  Adobe Flash, Shockwave etc.  GPU process is not sandboxed (planned for future release)
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Cheap Exploit #1
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 BNO Namespace Squatting  Shared sections can be created with a name in the 'Local' namespace  Shared Sections  Mutexes, Events, Semaphores (Synchronisation objects)  By “squatting” on named object, we can set arbitrary permissions on the object if:  It can be created before the application  If the application does not fail if the named object already exists.  If we know or can predict the name of the object.  This can expose applications outside the sandbox to attacks they never knew existed…
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 BNO Namespace Squatting Example TODO
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Generic Sandbox escape vulnerability!  TODO
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 The Fuzzer that found it... int _tmain(int argc, _TCHAR* argv[]) { unsigned int size = _tstoi(argv[2]); HANDLE hSection = CreateFileMapping(NULL, NULL, PAGE_EXECUTE_READWRITE, 0, size, argv[1]); unsigned char* lpBuff = (unsigned char*) MapViewOfFile(hSection, FILE_MAP_WRITE | FILE_MAP_READ, 0, 0, size); // Take a copy of the initial contents of the section. memcpy(init, lpBuff, size); while(1) { memcpy(lpBuff, init, sizeof(init)); for(unsigned int i = 32; i < size; i++) if(rand() % 1000 < 5 ) lpBuff[i] = (unsigned char) rand(); PROCESS_INFORMATION ProcInfo1 = {0}; STARTUPINFOA StartupInfo1 = {0}; CreateProcessA(NULL, "C:Program FilesInternet Exploreriexplore.exe", NULL, NULL, FALSE, 0, NULL, NULL,&StartupInfo1, &ProcInfo1); CloseHandle(ProcInfo1.hProcess); CloseHandle(ProcInfo1.hThread); Sleep(2000); PROCESS_INFORMATION ProcInfo2 = {0}; STARTUPINFOA StartupInfo2 = {0}; CreateProcessA(NULL, "pskill iexplore.exe", NULL, NULL, FALSE, 0, NULL, NULL, &StartupInfo2, &ProcInfo2); CloseHandle(ProcInfo2.hProcess); CloseHandle(ProcInfo2.hThread); Sleep(1000); } return 0; }
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Cheap Exploit #2
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 NPAPI Interface Exploits (Chromium Specific)  NPAPI was originally used to interface between the Netscape browser and an in-process plug-in. Browser NPAPI Plug-in (DLL)NPAPI Process Browser Tab
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Out-of-Process NPAPI  Later NPAPI crossed process boundaries  Improved stability, no improved security. Browser Tab (Process) Google Chrome (Broker Process) Trusted Plug-in (Process) NPAPI Session
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 NPAPI In Chrome (Today) Browser Tab (Process) Google Chrome (Broker Process) Trusted Plug-in (Process) NPAPI Sandbox Session • NPAPI now crosses a security boundary between sandboxed tabs and un-sandboxed plug-ins.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 NPAPI Exploits  NPAPI Callers were previously trusted...  ...Now they are not.  Flash and other plug-ins are currently not sandboxed.  Exploitable bugs in Adobe (and other vendors) code will allow sandbox-escape.  These bugs were previously not vulnerabilities  → Calling conventions?
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 A benign crash? • Thread 9 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION @ 0x09ccf232 ) 0x102e5c06 [NPSWF32.dll - memcpy.asm:257] memcpy 0x102e1828 [NPSWF32.dll + 0x002e1828] CBitStream::Fill(unsigned char const*, int) 0x102e0b96 [NPSWF32.dll + 0x002e0b96] mp3decFill 0x102e0892 [NPSWF32.dll + 0x002e0892] PlatformMp3Decoder::Refill(int,unsigned char*) 0x10063d21 [NPSWF32.dll + 0x00063d21] CMp3Decomp::GetDecompressedData(short*,int,int,int,int) 0x10063f62 [NPSWF32.dll + 0x00063f62] CMp3Decomp::Decompress(short *,int) 0x100ad448 [NPSWF32.dll + 0x000ad448] CoreSoundMix::BuildBuffer(int) 0x100ae2c5 [NPSWF32.dll + 0x000ae2c5] CoreSoundMix::SendBuffer(int,int) 0x10153d6b [NPSWF32.dll + 0x00153d6b] PlatformSoundMix::SoundThread() 0x10154034 [NPSWF32.dll + 0x00154034] PlatformSoundMix::SoundThreadFunc(void *) 0x7c80b728 [kernel32.dll + 0x0000b728] BaseThreadStart Full report @ http://crash/reportdetail?reportid=b370c132fc6587f7 Google Chrome 4.0.249.70 (Official Build 36218)  This was found by accident (using Chromium)  Fixed by Adobe!
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Input events  Can also send key and mouse events.  NPP_InputEvent().  Possible to bypass Flash Security Dialogs  Enable web-cam  Enable Microphone  Plug-ins are currently unable to distinguish between user input and simulated input from renderer.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Cheap Exploit #3
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Handle Leaks  Handles which refer to privileged resources may exist in sandboxes for several reasons.  A handle can be used for any operation for which it has already been granted access.  If the right type of handle is leaked into the sandbox, it can be used for sandbox-escape.  These handles are easily detected at run-time!
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 What causes “Handle Leaks”?  Deliberately granted by broker.  Accidentally granted by broker.  Incorrectly granted by broker (policy error)  Unclosed handles from sandbox initialisation  Before Lock-down (init. with unrestricted token)  Internal handles kept open by libraries  Internal handles kept open by 3rd Party Hook DLLs
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Adobe Reader X Handle Leaks  Sandboxed renderer has write access to the Medium-integrity Internet Explorer cookie store, history etc.  The ARX broker also doesn't currently restrict read access to local file system.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Cheap Exploit #4
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Clipboard Attacks  In PMIE and AR-X, the clipboard is shared between the sandbox and the rest of the user's session.  Ever put your password in the clipboard?  What about attacking other applications?  Previously, the clipboard contents were normally trustworthy, now they are not.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Clipboard Attacks  What about...  Pasting malicious command lines into a shell followed by a new line?  Inputting maliciously formatted data into the clipboard?  Do application developers implicitly trust clipboard contents?
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 A counter-argument to Adobe’s view of the sandbox
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Conclusions
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Conclusions  Developing sandbox escape exploits is currently significantly less effort than the initial remote exploit.  Not necessarily a big disincentive for attackers.  Especially if the goal is to steal a resource available inside the sandbox!
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Conclusions  Sandboxes have changed the exploitation landscape and will continue to do so  Greater emphasis on local privilege escalation  Desktop applications under greater scrutiny  New attack surfaces  When forced to attackers will start to adopt sandbox-aware malware.  Insufficient motivation to do so yet!  PMIE sandbox escapes only started getting attention when Pwn2Own made it a requirement of “own”.  There are now at least 4 unpatched PMIE escapes (source: Twitter).

Empfohlen

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
CanSecWest
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
CanSecWest
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
CanSecWest
 

Empfohlen

Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
CanSecWest
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
CanSecWest
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
CanSecWest
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooks
CanSecWest
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
Ryan Wincey
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical Sandboxing
Tom Keetch
 
Derbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesDerbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: Sandboxes
Bromium Labs
 
Cooking security sans@night
Cooking security sans@nightCooking security sans@night
Cooking security sans@night
jtimberman
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 
Sjug aug 2010_cloud
Sjug aug 2010_cloudSjug aug 2010_cloud
Sjug aug 2010_cloud
Michael Neale
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
UT, San Antonio
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...
OW2
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
 
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
PROIDEA
 
ColdFusion .NET integration - Adobe Max 2006
ColdFusion .NET integration - Adobe Max 2006ColdFusion .NET integration - Adobe Max 2006
ColdFusion .NET integration - Adobe Max 2006
Rupesh Kumar
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
Abhishek Singh
 
Real-time Computer Vision With Ruby - OSCON 2008
Real-time Computer Vision With Ruby - OSCON 2008Real-time Computer Vision With Ruby - OSCON 2008
Real-time Computer Vision With Ruby - OSCON 2008
Jan Wedekind
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 

Weitere ähnliche Inhalte

Was ist angesagt?

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
Ryan Wincey
 

Was ist angesagt? (6)

Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooks
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
 

Ähnlich wie Blackhat EU 2011 - Practical Sandboxing

Cooking security sans@night
Cooking security sans@nightCooking security sans@night
Cooking security sans@night
jtimberman
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...
OW2
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
Abhishek Singh
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
The Linux Foundation
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 

Ähnlich wie Blackhat EU 2011 - Practical Sandboxing (20)

Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical Sandboxing
 
Derbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesDerbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: Sandboxes
 
Cooking security sans@night
Cooking security sans@nightCooking security sans@night
Cooking security sans@night
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Sjug aug 2010_cloud
Sjug aug 2010_cloudSjug aug 2010_cloud
Sjug aug 2010_cloud
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Hack any website
Hack any websiteHack any website
Hack any website
 
Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
 
ColdFusion .NET integration - Adobe Max 2006
ColdFusion .NET integration - Adobe Max 2006ColdFusion .NET integration - Adobe Max 2006
ColdFusion .NET integration - Adobe Max 2006
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
 
Real-time Computer Vision With Ruby - OSCON 2008
Real-time Computer Vision With Ruby - OSCON 2008Real-time Computer Vision With Ruby - OSCON 2008
Real-time Computer Vision With Ruby - OSCON 2008
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
 
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
NTT Docomo's Challenge looking ahead the world pf 5G × OpenStack - OpenStack最...
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
 

Kürzlich hochgeladen

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 

Kürzlich hochgeladen (20)

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 

Blackhat EU 2011 - Practical Sandboxing

  • 1. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Practical Sandboxing on the Windows Platform An assessment of the Internet Explorer, Adobe Reader and Google Chrome sandboxes By Tom Keetch
  • 2. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 About Me  Senior Consultant for Verizon Business' Threat & Vulnerability Practice  Technical Lead for Code Review in EMEA  Application Security Design Reviews  Manual Code Review  Static Analysis  My favourite topic is exploit mitigation!  Make finding and exploiting vulnerabilities prohibitively expensive.
  • 3. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Introduction  Practical Sandboxing  User-mode sandboxing methodology  Based on Windows OS facilities  Implementers  Protected Mode Internet Explorer (limited)  Adobe Reader X  Chromium  This presentation is about:  Breaking out of such Sandboxes with the minimum required effort.
  • 4. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Agenda • Sandboxes for exploit mitigation (Theory) • Overview of Practical Sandboxing Implementations (Background) • Sandboxing Flaws (Practical) • A counter-argument to Adobe’s view of the sandbox • Conclusions
  • 5. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandboxes for Exploit Mitigation
  • 6. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandboxes for exploit mitigation  Two options:  Increase cost of exploitation  Decrease target value  But a second stage exploit, can usually bypass the sandbox for finite cost...  This presentation focuses on sandbox-escape.  Read the whitepaper for more further information.
  • 7. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 “Return-on-Exploitation”
  • 8. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Two Potential Failures 1) The cost of bypassing the exploit mitigation is too low to deter a potential attacker. (a) The target is still more valuable than the additional exploitation effort required. (b) The mitigation can be trivially bypassed. 1) The reduction of value of the target is not sufficient to deter a potential attacker. (a) The attacker is not interested in the resources protected by the mitigation. (b) Valuable assets are not protected by the mitigation.
  • 9. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
  • 10. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Looking for “cheap” exploits  This research set out to find the easiest places to find sandbox-escape exploits.  Cheap-to-find exploit types were found:  Previously unexposed interfaces  Easily detectable (and exploitable) conditions  Also, resources not protected by sandbox:  Network Access  Resources protected by the Same Origin Policy.
  • 11. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Overview of Practical Sandbox Implementations
  • 12. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 The Practical Sandboxing Methodology  Restricted Access token  Deny-only SIDs (Discretionary)  Low Integrity (Mandatory)  Privilege Stripping (Capability)  Job Object Restrictions  Window Station Isolation  Desktop Isolation
  • 13. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 • Session • Workstation • Desktop • Medium Integrity • Low Integrity Browser Tab (Internet Zone) Browser Tab (Trusted Zone, Local Intranet Zone) Internet Explorer (Broker) Protected Mode Internet Explorer
  • 14. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Protected Mode Internet Explorer Practical Sandboxing Check-list OS Control Implemented? Restricted Token - Restricted Token No - Privilege Stripping Yes - Low Integrity Yes Job Object Restrictions No Window Station Isolation No Desktop Isolation No
  • 15. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Protected Mode Internet Explorer Sandboxing  Only supported on Vista and later, because only Integrity Levels are used.  Only protected the Integrity of the system, not confidentiality.  See my previous presentation from Hack.LU 2010  Not a Security Boundary, for many reasons.  Lots of potential elevation routes.
  • 16. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 • Session • Medium Integrity • (Workstation) • (Desktop) • Restricted Token • Low Integrity • Job Object PDF Renderer Adobe Reader (Broker) Adobe Reader X
  • 17. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Adobe Reader X Practical Sandboxing Check-list OS Control Implemented? Restricted Token - Restricted Token Y - Privilege Stripping Y - Low Integrity Y Job Object Restrictions Partial Window Station Isolation N Desktop Isolation N
  • 18. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Adobe Reader X Sandboxing  Makes use of Chromium sandboxing and IPC framework (BSD license)  The broker does not restrict read access.  Sandbox doesn't protect clipboard or Global Atom Table.  No WinSta or Desktop isolation, but compensated for with Job Object restrictions.
  • 19. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 • Session • Medium Integrity • Restricted Token • Low Integrity • Job Object Browser Tab Google Chrome (Broker) GPU Process Plug-in • Per plug-in sandboxing. Chromium
  • 20. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Chromium Practical Sandboxing Check-list OS Control Implemented? Restricted Token - Restricted Token Yes* - Privilege Stripping Yes* - Low Integrity Yes* Job Object Restrictions Yes* Window Station Isolation Yes* Desktop Isolation Yes* *Currently renderer only.
  • 21. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Chromium sandboxing  A flexible framework for applying the full “practical sandboxing” methodology  Renderer is in the most restrictive possible sandbox.  3rd Party Plug-ins are not sandboxed  Adobe Flash, Shockwave etc.  GPU process is not sandboxed (planned for future release)
  • 22. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Cheap Exploit #1
  • 23. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 BNO Namespace Squatting  Shared sections can be created with a name in the 'Local' namespace  Shared Sections  Mutexes, Events, Semaphores (Synchronisation objects)  By “squatting” on named object, we can set arbitrary permissions on the object if:  It can be created before the application  If the application does not fail if the named object already exists.  If we know or can predict the name of the object.  This can expose applications outside the sandbox to attacks they never knew existed…
  • 24. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 BNO Namespace Squatting Example TODO
  • 25. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Generic Sandbox escape vulnerability!  TODO
  • 26. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 The Fuzzer that found it... int _tmain(int argc, _TCHAR* argv[]) { unsigned int size = _tstoi(argv[2]); HANDLE hSection = CreateFileMapping(NULL, NULL, PAGE_EXECUTE_READWRITE, 0, size, argv[1]); unsigned char* lpBuff = (unsigned char*) MapViewOfFile(hSection, FILE_MAP_WRITE | FILE_MAP_READ, 0, 0, size); // Take a copy of the initial contents of the section. memcpy(init, lpBuff, size); while(1) { memcpy(lpBuff, init, sizeof(init)); for(unsigned int i = 32; i < size; i++) if(rand() % 1000 < 5 ) lpBuff[i] = (unsigned char) rand(); PROCESS_INFORMATION ProcInfo1 = {0}; STARTUPINFOA StartupInfo1 = {0}; CreateProcessA(NULL, "C:Program FilesInternet Exploreriexplore.exe", NULL, NULL, FALSE, 0, NULL, NULL,&StartupInfo1, &ProcInfo1); CloseHandle(ProcInfo1.hProcess); CloseHandle(ProcInfo1.hThread); Sleep(2000); PROCESS_INFORMATION ProcInfo2 = {0}; STARTUPINFOA StartupInfo2 = {0}; CreateProcessA(NULL, "pskill iexplore.exe", NULL, NULL, FALSE, 0, NULL, NULL, &StartupInfo2, &ProcInfo2); CloseHandle(ProcInfo2.hProcess); CloseHandle(ProcInfo2.hThread); Sleep(1000); } return 0; }
  • 27. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Cheap Exploit #2
  • 28. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 NPAPI Interface Exploits (Chromium Specific)  NPAPI was originally used to interface between the Netscape browser and an in-process plug-in. Browser NPAPI Plug-in (DLL)NPAPI Process Browser Tab
  • 29. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Out-of-Process NPAPI  Later NPAPI crossed process boundaries  Improved stability, no improved security. Browser Tab (Process) Google Chrome (Broker Process) Trusted Plug-in (Process) NPAPI Session
  • 30. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 NPAPI In Chrome (Today) Browser Tab (Process) Google Chrome (Broker Process) Trusted Plug-in (Process) NPAPI Sandbox Session • NPAPI now crosses a security boundary between sandboxed tabs and un-sandboxed plug-ins.
  • 31. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 NPAPI Exploits  NPAPI Callers were previously trusted...  ...Now they are not.  Flash and other plug-ins are currently not sandboxed.  Exploitable bugs in Adobe (and other vendors) code will allow sandbox-escape.  These bugs were previously not vulnerabilities  → Calling conventions?
  • 32. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 A benign crash? • Thread 9 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION @ 0x09ccf232 ) 0x102e5c06 [NPSWF32.dll - memcpy.asm:257] memcpy 0x102e1828 [NPSWF32.dll + 0x002e1828] CBitStream::Fill(unsigned char const*, int) 0x102e0b96 [NPSWF32.dll + 0x002e0b96] mp3decFill 0x102e0892 [NPSWF32.dll + 0x002e0892] PlatformMp3Decoder::Refill(int,unsigned char*) 0x10063d21 [NPSWF32.dll + 0x00063d21] CMp3Decomp::GetDecompressedData(short*,int,int,int,int) 0x10063f62 [NPSWF32.dll + 0x00063f62] CMp3Decomp::Decompress(short *,int) 0x100ad448 [NPSWF32.dll + 0x000ad448] CoreSoundMix::BuildBuffer(int) 0x100ae2c5 [NPSWF32.dll + 0x000ae2c5] CoreSoundMix::SendBuffer(int,int) 0x10153d6b [NPSWF32.dll + 0x00153d6b] PlatformSoundMix::SoundThread() 0x10154034 [NPSWF32.dll + 0x00154034] PlatformSoundMix::SoundThreadFunc(void *) 0x7c80b728 [kernel32.dll + 0x0000b728] BaseThreadStart Full report @ http://crash/reportdetail?reportid=b370c132fc6587f7 Google Chrome 4.0.249.70 (Official Build 36218)  This was found by accident (using Chromium)  Fixed by Adobe!
  • 33. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Input events  Can also send key and mouse events.  NPP_InputEvent().  Possible to bypass Flash Security Dialogs  Enable web-cam  Enable Microphone  Plug-ins are currently unable to distinguish between user input and simulated input from renderer.
  • 34. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Cheap Exploit #3
  • 35. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Handle Leaks  Handles which refer to privileged resources may exist in sandboxes for several reasons.  A handle can be used for any operation for which it has already been granted access.  If the right type of handle is leaked into the sandbox, it can be used for sandbox-escape.  These handles are easily detected at run-time!
  • 36. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 What causes “Handle Leaks”?  Deliberately granted by broker.  Accidentally granted by broker.  Incorrectly granted by broker (policy error)  Unclosed handles from sandbox initialisation  Before Lock-down (init. with unrestricted token)  Internal handles kept open by libraries  Internal handles kept open by 3rd Party Hook DLLs
  • 37. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Adobe Reader X Handle Leaks  Sandboxed renderer has write access to the Medium-integrity Internet Explorer cookie store, history etc.  The ARX broker also doesn't currently restrict read access to local file system.
  • 38. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Cheap Exploit #4
  • 39. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Clipboard Attacks  In PMIE and AR-X, the clipboard is shared between the sandbox and the rest of the user's session.  Ever put your password in the clipboard?  What about attacking other applications?  Previously, the clipboard contents were normally trustworthy, now they are not.
  • 40. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Clipboard Attacks  What about...  Pasting malicious command lines into a shell followed by a new line?  Inputting maliciously formatted data into the clipboard?  Do application developers implicitly trust clipboard contents?
  • 41. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 A counter-argument to Adobe’s view of the sandbox
  • 42. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
  • 43. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
  • 44. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
  • 45. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09
  • 46. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Conclusions
  • 47. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Conclusions  Developing sandbox escape exploits is currently significantly less effort than the initial remote exploit.  Not necessarily a big disincentive for attackers.  Especially if the goal is to steal a resource available inside the sandbox!
  • 48. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Conclusions  Sandboxes have changed the exploitation landscape and will continue to do so  Greater emphasis on local privilege escalation  Desktop applications under greater scrutiny  New attack surfaces  When forced to attackers will start to adopt sandbox-aware malware.  Insufficient motivation to do so yet!  PMIE sandbox escapes only started getting attention when Pwn2Own made it a requirement of “own”.  There are now at least 4 unpatched PMIE escapes (source: Twitter).