SlideShare a Scribd company logo

Hack.Lu 2010 - Escaping Protected Mode Internet Explorer

Download as PPT, PDF
T
Tom Keetch

An assessment of the Protected Mode Internet Explorer security sandbox. Presented at Hack.LU in 2010.

Software
1 of 47
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Escaping from Protected Mode Internet Explorer Tom Keetch Application Security Specialist Threat & Vulnerability Management EMEA
Introduction Outline •What is Protected Mode Internet Explorer? •The Design of Protected Mode Internet Explorer •Mandatory Integrity Control / Integrity Levels •Attack Patterns and Bypassing the feature •Impact on Adobe Reader, Google Chrome & Microsoft Office 2
Protected Mode Internet Explorer Introduction •Feature introduced in Internet Explorer 7 •Requires Windows Vista and later OS. •Uses Mandatory Integrity Control •a.k.a “Integrity Levels” •According to Microsoft, this mechanism “significantly reduces the ability of an attack [against IE] to write, alter or destroy data on the user’s machine”. •Mitigates 0-day attacks against IE. •Based on “Practical Sandboxing” technology.
“The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code that code would be severely limited in what it could do.” – IEBlog (2006) 4 Protected Mode Internet Explorer Introduction
“What's interesting about this is the fact that Firefox doesn't have the benefit of Protected Mode under Vista, which can somewhat mitigate the damage that can be done if Internet Explorer 7 is exploited by [the ANI] vulnerability.” – ZDNet (2007) 5 Protected Mode Internet Explorer Introduction
“[Protected Mode is not a security Boundary]” - Mark Russinovich (Windows Security Boundaries) 6
What’s a “Security Boundary”? •Microsoft Terminology •A security boundary is a separation between distinct privilege levels which can enforce a security policy. Any security holes within this boundary will be patched within the monthly update cycle. •E.g. A web server cannot execute arbitrary code on the client without informed consent. 7
•Unclear exactly how much PMIE protects users from remote code execution attacks. •This research set out to make this clear.... 8 Protected Mode Internet Explorer Introduction
Protected Mode Internet Explorer When is it enabled? •UAC must be enabled •Protected Mode is a per-zone setting •Current default settings :- 9 IE Zone Protected Mode? Trusted Internet Zone No Local Intranet Zone* No** Internet Zone Yes Restricted Sites Yes Local Computer Zone No * Enabled by Default in domain-joined workstation ** Previously enabled by default.
Protected Mode Internet Explorer Design 10
Protected Mode Internet Explorer Design •IE Processes can run at different Integrity levels –Un-trusted tabs at Low Integrity –Trusted tabs at Medium/High integrity. –In IE 7, trusted and un-trusted tabs appeared in different windows. •Compatibility shim part of Low Rights IE (LRIE) –Redirects requests for privileged operations to broker. –Re-directs file and registry access. •Loosely-Coupled IE (LCIE) in IE8 – Trusted and un-trusted tabs in same window •Elevating Low-> Medium will bypass PMIE. 11
Protected Mode Internet Explorer Broker Interface •Available to callers at all integrity levels in user session. •Implemented using Local Procedure Calls (LPC) •Privileged operations require either: – User consent, OR – To be authorised by the Elevation Policy. •Allows Low Integrity Processes to: – Launch of new processes at Low or Medium Integrity – Create new tabs/windows – Save files in User folders marked Medium Integrity 12
Protected Mode Internet Explorer Elevation Policy •SOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy 13 Value (DWORD) Numeric Value Example 3 Protected Mode silently launches the broker as a medium integrity process Winword.exe 2 Protected Mode prompts the user for permission to launch the process. If permission is granted, the process is launched as a medium integrity process All other processes 1 Protected mode silently launches the broker as a low integrity process iexplore.exe 0 Protected mode prevents the process from launching cmd.exe
Protected Mode Internet Explorer Trusted Brokers •Auto-elevating processes are of particular interest – Potential elevation routes – Low -> Medium Integrity •Compare with UAC – Medium -> High Integrity •“Trusted Brokers” used by IE and IE extensions to complete trusted operations •What about Low -> High Integrity via UAC? 14
Protected Mode Internet Explorer UAC Elevation from Low Integrity 15 •PMIE Elevations do not allow the current working directory (CWD) of the elevated process to be set. •Allowing this exposes DLL-Load hijacking attacks. – DLLs are frequently loaded from the CWD. – Possibility of tricking launched process into loading a malicious DLL. •But CWD can be set for UAC elevations. – Such elevations are possible from Low Integrity processes. – As the next slide shows.... – A UAC bypass will also bypass Protected Mode. (Low->High)
Protected Mode Internet Explorer UAC Elevation from Low Integrity 16
Protected Mode Internet Explorer Compatibility Shim 17 •2 different hooking mechanisms •IE Broker Shim – iebrshim.dll – Redirects process launch requests to broker • Application Compatibility shims – AcLayers.dll – AcRedir.dll – Redirect registry and file access to low integrity locations
Protected Mode Internet Explorer Compatibility Shim 18 •User mode hooking is implemented within the same virtual address space – Therefore arbitrary code executing in a hooked process can ignore hooking policy. – User mode hooking is a compatibility feature... – Many pre-existing IE extensions can continue to work without modification. •But this shim can protect against some attacks. – E.g. Arbitrary file read/write vulnerabilities in In-Process extensions.
Mandatory Access Control • Mandatory Access Control •Under control of the operating system (mandatory) • e.g. Mandatory Integrity Control, SE Linux. • Discretionary Access • At the discretion of the resource owner • e.g. Users and Groups • First Mandatory, then Discretionary access check.
Mandatory Integrity Control •Introduces the concept of a less-trusted process. Integrity Level (IL) Numeric Value Example Un-trusted 0x0000h Anonymous Sessions Low 0x1000h Protected Mode IE Medium (Default) 0x2000h Normal User, Un-elevated Super-Users High 0x3000h Super-Users (including Admin) System 0x4000h All services Protected 0x5000h DRM Processes
Mandatory Integrity Control •Every securable object has an integrity level. –And one or more “mandatory labels” •Policies are defined in terms of generic access rights. GENERIC_MAPPINGs define how policy applies to object specific access rights. Label Applied by Default to.. No Write Up Files, Processes, Synchronisation objects, ... No Read Up Processes No Execute Up Out of Process COM servers
Mandatory Integrity Control winnt.h on GENERIC_MAPPINGs #define GENERIC_READ (0x80000000L) #define GENERIC_WRITE (0x40000000L) #define GENERIC_EXECUTE (0x20000000L) #define GENERIC_ALL (0x10000000L) // Define the generic mapping array. This is used to denote the // mapping of each generic access right to a specific access mask. typedef struct _GENERIC_MAPPING { ACCESS_MASK GenericRead; ACCESS_MASK GenericWrite; ACCESS_MASK GenericExecute; ACCESS_MASK GenericAll; } GENERIC_MAPPING; typedef GENERIC_MAPPING *PGENERIC_MAPPING;
Mandatory Integrity Control No Write Up •This policy gives us the feature’s informal name “Integrity Levels” •Processes are unable to modify higher integrity objects –Including other processes •Low IL processes can only write to designated files and registry keys –Prevent drive-by downloads from installing malware –Maintain the integrity of the machine
•Maintains confidentiality. •Applied only to processes by default. •ReadProcessMemory() and WriteProcessMemory() are denied on higher integrity processes. Mandatory Integrity Control No Read Up
•COM is “Integrity-Aware” •By default out-of-process COM objects are marked as “No Execute Up”. •Otherwise Low Integrity objects could get COM objects to perform actions on their behalf. Mandatory Integrity Control No Execute Up
•The browser process runs at Low Integrity •The user’s files are Medium Integrity •Files/Registry are marked No Write Up •Therefore a compromised IE process can read (and steal), but not write, alter or delete user files. • But else what can a low integrity process do? Mandatory Integrity Control Protected Mode Internet Explorer
Generic Mappings Some Points of Interest • Low IL processes can: – Enumerate and Terminate higher integrity processes – Be notified when threads/processes terminate – Hold (and abandon) a higher integrity mutex • There are also a couple of anomalies: – Requesting “no-access” to a ↑IL file succeeds – GENERIC_WRITE access to a ↑IL Mutex is allowed •Registry “Symlink attacks” are possible – Registry Symlinks can point to higher integrity registry keys •These mappings will be useful later on...
Mandatory Integrity Control Applicability to object types •All SE_KERNEL_OBJECTs are subject to MIC – But not all objects are SE_KERNEL_OBJECTs •What’s not subject to MIC? – Sockets – Services – Base Named Object (BNO) namespace – Kernel interfaces (IOCTLs) – Remote Procedure Calls – ... •Also, open handles! – Access check has already happened.
Sockets •Processes can bind to any port, regardless of Integrity Level •The Windows XP Firewall cannot prevent Low IL servers either. •In a Windows Vista Beta release, SMB loopback was used to bypass UAC. – localhostc$... – Fixed in final release. •Use loopback-bound servers to elevate privilege? – E.g. SSDP bound to 127.0.0.1 by default. 29
Services •The Service Control Manager is not “Integrity-Aware” like the COM subsystem •But discretionary access control still applies. – No privileged groups enabled in a Low/Medium Integrity Access Token – Privileged groups are only enabled in the High-Integrity “Linked Token” – This is functionality implemented by UAC •However, weak service ACLs may still be exploitable from Low IL. 30
Base Named Object Namespace •This is where securable (named) objects are created •Mandatory Integrity Control doesn’t apply here either. – Namespace squatting attacks? •This was given as one of two main reasons why Protected Mode was not a “security boundary” by Mark Russinovich – The other was UI overlay attacks – Required user intervention / “social engineering” •Candidate for good PMIE bypass methods 31
Window Stations & Desktops • Both are objects of type SE_WINDOW_OBJECT – Not SE_KERNEL_OBJECT •Also, every interactive process has handles to: – A Winsta0 – default window station for session –The “Default” desktop – shared with other interactive processes. •Sharing a desktop allows UI spoofing attacks – Known limitation of PMIE. •Sharing a Window Station allows other attacks! 32
Window Stations & Desktops Window Station Attack Surface •Another example is the Global Atom Table – Contains strings and Integers – Primitive form of Inter-Process Communication. •Created a dumb Atom Table fuzzer running at Low Integrity – NULL dereference in Process Explorer (running at High Integrity) – Internet Explorer’s UI got mangled, but no crashes. • Dynamic Data Exchange (DDE) IPC used Global Atoms – So a smarter fuzzer might find more interesting bugs. – Global Atoms are normally trustworthy – So it’s likely that exploitable bugs exist in atom handling code. 33
Open Handles What are the interesting ones? •Write-access handles that are shared with higher integrity processes •Handles that refer to higher integrity securable objects •One of the first Protected Mode IE bypasses was a handle leak –Handle was to a medium integrity process/thread object –Handle was closed by a low integrity process –Discovered by SkyWing –Published in the Uninformed.org journal – volume 8. •Wrote a tool “Shandle” to find these which uses GENERIC_MAPPINGs from before. (BSoD) 34
Kernel Object Type Name (Kernel Space) Directory KnownDlls WindowStation Sessions1WindowsWindowStationsWinSta0 Desktop Default Directory Sessions1BaseNamedObjects Section Sessions1BaseNamedObjectswindows_shell_global_counters Section BaseNamedObjectswindows_shell_global_counters Section Sessions1BaseNamedObjectsUrlZonesSM_Tom Mutant Sessions1BaseNamedObjectsZonesCounterMutex Mutant Sessions1BaseNamedObjectsZoneAttributeCacheCounterMutex Mutant Sessions1BaseNamedObjectsZonesCacheCounterMutex Mutant Sessions1BaseNamedObjectsZonesLockedCacheCounterMutex Mutant Sessions1BaseNamedObjectsLRIEElevationPolicyMutex Section Sessions1BaseNamedObjectsLRIEElevationPolicy_
Open Handles Do any provide elevation routes? • Already discussed :- – Sessions1WindowsWindowStationsWinSta0 – Default – Sessions1BaseNamedObjects •We have FILE_ADD_FILE access to KnownDlls – Is this exploitable? • Interesting Attack Surface :- – Sessions1BaseNamedObjectsLRIEElevationPolicyMutex – Sessions1BaseNamedObjectsLRIEElevationPolicy_ • IE extensions provide new options. 36
37
Other Attack Vectors... • IE Zone Elevations... – Local – Remote – XSS •Via Clipboard (part of WinSta0) • File Reads – Session Cookies written to disk? – Files containing credentials etc. • Trusted Broker Attacks – Malicious Command Lines to Auto-elevate brokers. – Vulnerabilities in Low Integrity Interfaces. 38
How To Escape From Protected Mode IE The harder way 39
How To Escape From Protected Mode IE Step By Step 40 1) Browser visits web server (1) on a domain joined workstation. 2) IE exploited using exploit A. 3) The payload binds a web server (2) to loopback interface. 4) The payload navigates to webpage hosted by web server(2). 5) IE Exploited using exploit A. 6) Payload has full privileges of the user!
The Exploit Re-Use Problem •Design Flaw •We can use the same exploit twice to bypass Protected Mode IE. •Exploits == $Money. •Exploit Mitigation Mechanisms should materially raise the cost of successful exploitation. •No estimated fix release date from MS. 41
42 How To Escape From Protected Mode IE The easier way •Embed malicious site in the IFRAME of a trusted site. •Protected Mode is determined by outermost frame. •Exploit payload will run at Medium Integrity.
•Assuming Adobe Shockwave is installed… 43 How To Escape From Protected Mode IE The easy way •The design of PMIE has exposed new attack surface to applications between applications in the same session.
Conclusions • Protected Mode IE currently provides relatively little in terms of additional assurance against memory corruption attacks. – Too many options for elevating Integrity Level. – New attack surface that didn’t previously exist •Security features should clearly state what guarantees they are making – In this case, the claims are unclear. •But ultimately should bypassing PMIE be considered a vulnerability? MS say no (It’s not a “security boundary”) – Is it reasonable to think that Protected Mode would make you a lot safer? 44
Protected Mode The Saga Continues... •Protected Mode Adobe Reader is due out November 2010 •Protected Mode Microsoft Office is already available •Google Chrome uses Practical Sandboxing •If Microsoft are unwilling to consider PMIE a security boundary, what does this mean for other products based on similar techniques? 45
More Information •A fully referenced technical whitepaper is available from: – http://.??? •Questions/Comments/Corrections/Flames to: – Email: tom.keetch @ uk.verizonbusiness.com – Twitter: @tkeetch 46
Bonus Slide

Recommended

Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 

Recommended

Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019David Tulis
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hackingIftach Ian Amit
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 

More Related Content

What's hot

Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019David Tulis
 

What's hot (20)

Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019COM Hijacking Techniques - Derbycon 2019
COM Hijacking Techniques - Derbycon 2019
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 

Similar to Hack.Lu 2010 - Escaping Protected Mode Internet Explorer

Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataPrecisely
 
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
CNIT 124 Ch10-12: Local Exploits through Bypassing AVCNIT 124 Ch10-12: Local Exploits through Bypassing AV
CNIT 124 Ch10-12: Local Exploits through Bypassing AVSam Bowne
 
Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataPrecisely
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Taking Control of Access to Your IBM i Systems and Data
Taking Control of Access to Your IBM i Systems and DataTaking Control of Access to Your IBM i Systems and Data
Taking Control of Access to Your IBM i Systems and DataPrecisely
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Kevin Mayo
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
12-OS-security-workshop.pdf
12-OS-security-workshop.pdf12-OS-security-workshop.pdf
12-OS-security-workshop.pdfKhalil BOUKRI
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessHelpSystems
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 

Similar to Hack.Lu 2010 - Escaping Protected Mode Internet Explorer (20)

Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and Data
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
CNIT 124 Ch10-12: Local Exploits through Bypassing AVCNIT 124 Ch10-12: Local Exploits through Bypassing AV
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and Data
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Taking Control of Access to Your IBM i Systems and Data
Taking Control of Access to Your IBM i Systems and DataTaking Control of Access to Your IBM i Systems and Data
Taking Control of Access to Your IBM i Systems and Data
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
12-OS-security-workshop.pdf
12-OS-security-workshop.pdf12-OS-security-workshop.pdf
12-OS-security-workshop.pdf
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC Access
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 

Recently uploaded

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 

Hack.Lu 2010 - Escaping Protected Mode Internet Explorer

  • 1. © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Escaping from Protected Mode Internet Explorer Tom Keetch Application Security Specialist Threat & Vulnerability Management EMEA
  • 2. Introduction Outline •What is Protected Mode Internet Explorer? •The Design of Protected Mode Internet Explorer •Mandatory Integrity Control / Integrity Levels •Attack Patterns and Bypassing the feature •Impact on Adobe Reader, Google Chrome & Microsoft Office 2
  • 3. Protected Mode Internet Explorer Introduction •Feature introduced in Internet Explorer 7 •Requires Windows Vista and later OS. •Uses Mandatory Integrity Control •a.k.a “Integrity Levels” •According to Microsoft, this mechanism “significantly reduces the ability of an attack [against IE] to write, alter or destroy data on the user’s machine”. •Mitigates 0-day attacks against IE. •Based on “Practical Sandboxing” technology.
  • 4. “The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code that code would be severely limited in what it could do.” – IEBlog (2006) 4 Protected Mode Internet Explorer Introduction
  • 5. “What's interesting about this is the fact that Firefox doesn't have the benefit of Protected Mode under Vista, which can somewhat mitigate the damage that can be done if Internet Explorer 7 is exploited by [the ANI] vulnerability.” – ZDNet (2007) 5 Protected Mode Internet Explorer Introduction
  • 6. “[Protected Mode is not a security Boundary]” - Mark Russinovich (Windows Security Boundaries) 6
  • 7. What’s a “Security Boundary”? •Microsoft Terminology •A security boundary is a separation between distinct privilege levels which can enforce a security policy. Any security holes within this boundary will be patched within the monthly update cycle. •E.g. A web server cannot execute arbitrary code on the client without informed consent. 7
  • 8. •Unclear exactly how much PMIE protects users from remote code execution attacks. •This research set out to make this clear.... 8 Protected Mode Internet Explorer Introduction
  • 9. Protected Mode Internet Explorer When is it enabled? •UAC must be enabled •Protected Mode is a per-zone setting •Current default settings :- 9 IE Zone Protected Mode? Trusted Internet Zone No Local Intranet Zone* No** Internet Zone Yes Restricted Sites Yes Local Computer Zone No * Enabled by Default in domain-joined workstation ** Previously enabled by default.
  • 10. Protected Mode Internet Explorer Design 10
  • 11. Protected Mode Internet Explorer Design •IE Processes can run at different Integrity levels –Un-trusted tabs at Low Integrity –Trusted tabs at Medium/High integrity. –In IE 7, trusted and un-trusted tabs appeared in different windows. •Compatibility shim part of Low Rights IE (LRIE) –Redirects requests for privileged operations to broker. –Re-directs file and registry access. •Loosely-Coupled IE (LCIE) in IE8 – Trusted and un-trusted tabs in same window •Elevating Low-> Medium will bypass PMIE. 11
  • 12. Protected Mode Internet Explorer Broker Interface •Available to callers at all integrity levels in user session. •Implemented using Local Procedure Calls (LPC) •Privileged operations require either: – User consent, OR – To be authorised by the Elevation Policy. •Allows Low Integrity Processes to: – Launch of new processes at Low or Medium Integrity – Create new tabs/windows – Save files in User folders marked Medium Integrity 12
  • 13. Protected Mode Internet Explorer Elevation Policy •SOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy 13 Value (DWORD) Numeric Value Example 3 Protected Mode silently launches the broker as a medium integrity process Winword.exe 2 Protected Mode prompts the user for permission to launch the process. If permission is granted, the process is launched as a medium integrity process All other processes 1 Protected mode silently launches the broker as a low integrity process iexplore.exe 0 Protected mode prevents the process from launching cmd.exe
  • 14. Protected Mode Internet Explorer Trusted Brokers •Auto-elevating processes are of particular interest – Potential elevation routes – Low -> Medium Integrity •Compare with UAC – Medium -> High Integrity •“Trusted Brokers” used by IE and IE extensions to complete trusted operations •What about Low -> High Integrity via UAC? 14
  • 15. Protected Mode Internet Explorer UAC Elevation from Low Integrity 15 •PMIE Elevations do not allow the current working directory (CWD) of the elevated process to be set. •Allowing this exposes DLL-Load hijacking attacks. – DLLs are frequently loaded from the CWD. – Possibility of tricking launched process into loading a malicious DLL. •But CWD can be set for UAC elevations. – Such elevations are possible from Low Integrity processes. – As the next slide shows.... – A UAC bypass will also bypass Protected Mode. (Low->High)
  • 16. Protected Mode Internet Explorer UAC Elevation from Low Integrity 16
  • 17. Protected Mode Internet Explorer Compatibility Shim 17 •2 different hooking mechanisms •IE Broker Shim – iebrshim.dll – Redirects process launch requests to broker • Application Compatibility shims – AcLayers.dll – AcRedir.dll – Redirect registry and file access to low integrity locations
  • 18. Protected Mode Internet Explorer Compatibility Shim 18 •User mode hooking is implemented within the same virtual address space – Therefore arbitrary code executing in a hooked process can ignore hooking policy. – User mode hooking is a compatibility feature... – Many pre-existing IE extensions can continue to work without modification. •But this shim can protect against some attacks. – E.g. Arbitrary file read/write vulnerabilities in In-Process extensions.
  • 19. Mandatory Access Control • Mandatory Access Control •Under control of the operating system (mandatory) • e.g. Mandatory Integrity Control, SE Linux. • Discretionary Access • At the discretion of the resource owner • e.g. Users and Groups • First Mandatory, then Discretionary access check.
  • 20. Mandatory Integrity Control •Introduces the concept of a less-trusted process. Integrity Level (IL) Numeric Value Example Un-trusted 0x0000h Anonymous Sessions Low 0x1000h Protected Mode IE Medium (Default) 0x2000h Normal User, Un-elevated Super-Users High 0x3000h Super-Users (including Admin) System 0x4000h All services Protected 0x5000h DRM Processes
  • 21. Mandatory Integrity Control •Every securable object has an integrity level. –And one or more “mandatory labels” •Policies are defined in terms of generic access rights. GENERIC_MAPPINGs define how policy applies to object specific access rights. Label Applied by Default to.. No Write Up Files, Processes, Synchronisation objects, ... No Read Up Processes No Execute Up Out of Process COM servers
  • 22. Mandatory Integrity Control winnt.h on GENERIC_MAPPINGs #define GENERIC_READ (0x80000000L) #define GENERIC_WRITE (0x40000000L) #define GENERIC_EXECUTE (0x20000000L) #define GENERIC_ALL (0x10000000L) // Define the generic mapping array. This is used to denote the // mapping of each generic access right to a specific access mask. typedef struct _GENERIC_MAPPING { ACCESS_MASK GenericRead; ACCESS_MASK GenericWrite; ACCESS_MASK GenericExecute; ACCESS_MASK GenericAll; } GENERIC_MAPPING; typedef GENERIC_MAPPING *PGENERIC_MAPPING;
  • 23. Mandatory Integrity Control No Write Up •This policy gives us the feature’s informal name “Integrity Levels” •Processes are unable to modify higher integrity objects –Including other processes •Low IL processes can only write to designated files and registry keys –Prevent drive-by downloads from installing malware –Maintain the integrity of the machine
  • 24. •Maintains confidentiality. •Applied only to processes by default. •ReadProcessMemory() and WriteProcessMemory() are denied on higher integrity processes. Mandatory Integrity Control No Read Up
  • 25. •COM is “Integrity-Aware” •By default out-of-process COM objects are marked as “No Execute Up”. •Otherwise Low Integrity objects could get COM objects to perform actions on their behalf. Mandatory Integrity Control No Execute Up
  • 26. •The browser process runs at Low Integrity •The user’s files are Medium Integrity •Files/Registry are marked No Write Up •Therefore a compromised IE process can read (and steal), but not write, alter or delete user files. • But else what can a low integrity process do? Mandatory Integrity Control Protected Mode Internet Explorer
  • 27. Generic Mappings Some Points of Interest • Low IL processes can: – Enumerate and Terminate higher integrity processes – Be notified when threads/processes terminate – Hold (and abandon) a higher integrity mutex • There are also a couple of anomalies: – Requesting “no-access” to a ↑IL file succeeds – GENERIC_WRITE access to a ↑IL Mutex is allowed •Registry “Symlink attacks” are possible – Registry Symlinks can point to higher integrity registry keys •These mappings will be useful later on...
  • 28. Mandatory Integrity Control Applicability to object types •All SE_KERNEL_OBJECTs are subject to MIC – But not all objects are SE_KERNEL_OBJECTs •What’s not subject to MIC? – Sockets – Services – Base Named Object (BNO) namespace – Kernel interfaces (IOCTLs) – Remote Procedure Calls – ... •Also, open handles! – Access check has already happened.
  • 29. Sockets •Processes can bind to any port, regardless of Integrity Level •The Windows XP Firewall cannot prevent Low IL servers either. •In a Windows Vista Beta release, SMB loopback was used to bypass UAC. – localhostc$... – Fixed in final release. •Use loopback-bound servers to elevate privilege? – E.g. SSDP bound to 127.0.0.1 by default. 29
  • 30. Services •The Service Control Manager is not “Integrity-Aware” like the COM subsystem •But discretionary access control still applies. – No privileged groups enabled in a Low/Medium Integrity Access Token – Privileged groups are only enabled in the High-Integrity “Linked Token” – This is functionality implemented by UAC •However, weak service ACLs may still be exploitable from Low IL. 30
  • 31. Base Named Object Namespace •This is where securable (named) objects are created •Mandatory Integrity Control doesn’t apply here either. – Namespace squatting attacks? •This was given as one of two main reasons why Protected Mode was not a “security boundary” by Mark Russinovich – The other was UI overlay attacks – Required user intervention / “social engineering” •Candidate for good PMIE bypass methods 31
  • 32. Window Stations & Desktops • Both are objects of type SE_WINDOW_OBJECT – Not SE_KERNEL_OBJECT •Also, every interactive process has handles to: – A Winsta0 – default window station for session –The “Default” desktop – shared with other interactive processes. •Sharing a desktop allows UI spoofing attacks – Known limitation of PMIE. •Sharing a Window Station allows other attacks! 32
  • 33. Window Stations & Desktops Window Station Attack Surface •Another example is the Global Atom Table – Contains strings and Integers – Primitive form of Inter-Process Communication. •Created a dumb Atom Table fuzzer running at Low Integrity – NULL dereference in Process Explorer (running at High Integrity) – Internet Explorer’s UI got mangled, but no crashes. • Dynamic Data Exchange (DDE) IPC used Global Atoms – So a smarter fuzzer might find more interesting bugs. – Global Atoms are normally trustworthy – So it’s likely that exploitable bugs exist in atom handling code. 33
  • 34. Open Handles What are the interesting ones? •Write-access handles that are shared with higher integrity processes •Handles that refer to higher integrity securable objects •One of the first Protected Mode IE bypasses was a handle leak –Handle was to a medium integrity process/thread object –Handle was closed by a low integrity process –Discovered by SkyWing –Published in the Uninformed.org journal – volume 8. •Wrote a tool “Shandle” to find these which uses GENERIC_MAPPINGs from before. (BSoD) 34
  • 35. Kernel Object Type Name (Kernel Space) Directory KnownDlls WindowStation Sessions1WindowsWindowStationsWinSta0 Desktop Default Directory Sessions1BaseNamedObjects Section Sessions1BaseNamedObjectswindows_shell_global_counters Section BaseNamedObjectswindows_shell_global_counters Section Sessions1BaseNamedObjectsUrlZonesSM_Tom Mutant Sessions1BaseNamedObjectsZonesCounterMutex Mutant Sessions1BaseNamedObjectsZoneAttributeCacheCounterMutex Mutant Sessions1BaseNamedObjectsZonesCacheCounterMutex Mutant Sessions1BaseNamedObjectsZonesLockedCacheCounterMutex Mutant Sessions1BaseNamedObjectsLRIEElevationPolicyMutex Section Sessions1BaseNamedObjectsLRIEElevationPolicy_
  • 36. Open Handles Do any provide elevation routes? • Already discussed :- – Sessions1WindowsWindowStationsWinSta0 – Default – Sessions1BaseNamedObjects •We have FILE_ADD_FILE access to KnownDlls – Is this exploitable? • Interesting Attack Surface :- – Sessions1BaseNamedObjectsLRIEElevationPolicyMutex – Sessions1BaseNamedObjectsLRIEElevationPolicy_ • IE extensions provide new options. 36
  • 37. 37
  • 38. Other Attack Vectors... • IE Zone Elevations... – Local – Remote – XSS •Via Clipboard (part of WinSta0) • File Reads – Session Cookies written to disk? – Files containing credentials etc. • Trusted Broker Attacks – Malicious Command Lines to Auto-elevate brokers. – Vulnerabilities in Low Integrity Interfaces. 38
  • 39. How To Escape From Protected Mode IE The harder way 39
  • 40. How To Escape From Protected Mode IE Step By Step 40 1) Browser visits web server (1) on a domain joined workstation. 2) IE exploited using exploit A. 3) The payload binds a web server (2) to loopback interface. 4) The payload navigates to webpage hosted by web server(2). 5) IE Exploited using exploit A. 6) Payload has full privileges of the user!
  • 41. The Exploit Re-Use Problem •Design Flaw •We can use the same exploit twice to bypass Protected Mode IE. •Exploits == $Money. •Exploit Mitigation Mechanisms should materially raise the cost of successful exploitation. •No estimated fix release date from MS. 41
  • 42. 42 How To Escape From Protected Mode IE The easier way •Embed malicious site in the IFRAME of a trusted site. •Protected Mode is determined by outermost frame. •Exploit payload will run at Medium Integrity.
  • 43. •Assuming Adobe Shockwave is installed… 43 How To Escape From Protected Mode IE The easy way •The design of PMIE has exposed new attack surface to applications between applications in the same session.
  • 44. Conclusions • Protected Mode IE currently provides relatively little in terms of additional assurance against memory corruption attacks. – Too many options for elevating Integrity Level. – New attack surface that didn’t previously exist •Security features should clearly state what guarantees they are making – In this case, the claims are unclear. •But ultimately should bypassing PMIE be considered a vulnerability? MS say no (It’s not a “security boundary”) – Is it reasonable to think that Protected Mode would make you a lot safer? 44
  • 45. Protected Mode The Saga Continues... •Protected Mode Adobe Reader is due out November 2010 •Protected Mode Microsoft Office is already available •Google Chrome uses Practical Sandboxing •If Microsoft are unwilling to consider PMIE a security boundary, what does this mean for other products based on similar techniques? 45
  • 46. More Information •A fully referenced technical whitepaper is available from: – http://.??? •Questions/Comments/Corrections/Flames to: – Email: tom.keetch @ uk.verizonbusiness.com – Twitter: @tkeetch 46