How might I get infected....?

...if I only run Firefox with NoScript plugin on a Windows XP SP3 limited account behind a firewalled router?

That's all; no antivirus, no HIPS, no SRP, and no sandboxing. It's not a trick question, nor meant to be a joke. I'm only looking for any and all possible methods of how this setup could be compromised.

BTW, with NoScript I would only allow top level domains, while the rest I would select individually to render the web pages as I see fit.

 

- PDF exploits
- Document exploits
- Exploits in multimedia files
- Trojan executables that looked safe
- Plugin or JS exploits on trusted pages
- Network attacks against the Windows firewall itself
- Good old social engineering
- Any combination thereof

 

Adding sandboxie would perhaps mitigate a lot of risks.

 

+infection from USB or network shares.

 

With everything updated, of course you should always be very fine. Or is this about after XP updates stop?

Even without scripts (or controlled scripts), there can be other vulnerabilities to be exploited before a fix is available (or you applying it). In any case, those exploits can do stuff to your personal files, etc., even with a limited account (malware, startup stuff, Cryptolocker, etc.). THAT is why I feel that an Admin account is actually safer, when using dropped rights (easy via SRP) for everything you can (so it's obviously like running in limited account). ALL existing personal files ONLY have Administrators group write permission, so they can't be touched by anything with dropped rights, although new files can still be created/modified until they get owner/permissions changed to be like "existing" files. Just to share my thinking... No control over personal files like that with limited account/UAC.

Otherwise, those same browser (or flash, PDF viewer, ...) exploits can take advantage of an elevation-of-privilege Windows vulnerability.


Outside of those obvious program-based holes, there's the direct remote kernel exploits. The most obvious, and too-often-patched, is the fonts stuff! Can custom font downloading be disabled in Firefox, I guess? That should take care of that problem. But then there's also been the graphics/image exploits a few times these last years. In that case, any image you load online could compromise the whole system!


These are the scenarios I'm always considering for after April... Well, the kernel stuff. I'm not at all concerned about program-specific exploits (non-elevating) since Sandboxie contains them easily. (Even dropped rights + SRP should handle them fairly well.)

 

Thank you for these suggestions. So how do I address the following?:

- I could disable autorun for external media

as for the Sandboxie suggestion, thanks but I want to keep that out of the equation at least for now.

So far as I can see, there is nothing that would automatically infect this setup if I implement the measures I suggest above?

 

Besides autorun, we've had 2 updates this year where just plugging in USB drives/devices can exploit Windows. Nothing to "run" in the traditional sense.

The remote kernel stuff! Nothing you can do about graphics system, at least, if you can't update Windows.

 

Wow! You've opened up a whole can of worms. "Food for thought", so to speak

i suppose with XP in current state, all updates applied.

I never thought of this approach before. interesting. However, I can't consider this in my scenario because the fictional setup would be XP Home verion, or whatever the basic version is called. How about all sensitive files stored on in the administrative accounts directories, but all activities still run from the lua account?

Right, so as I suggested in my above post, I download these files scan, then open in a dedicated program for viewing?

Good question! I'm not sure either. A bit of a challenge to be sure.

Another big challenge! I suppose NS could stop this but I always allow images by default. I need to gain an understanding of this type exploit before I can comment further on it

So it seems remote kernel exploits would likely be the biggest concern for XP users after support ends? the font and image exploits you mention above might be amongst the toughest to defend against?

*EDIT*

I didn't know about those, thanks!

Got it! Thanks again

 

GJ covered the good stuff.

You're behind a router, so I'll just hack that. You're probably running default firmware, which means there are plenty of backdoors and unpatched vulnerabilities.

You're going to scan ever .doc to see if it's a virus? I'll just attack the antivirus - I love root processes reading my malicious files through complex heuristic processes.

And, to repeat, font exploits/ scriptless attacks.

 

Run exactly same set up until I got infected from a USB.

 

@Hungry Man, I rather doubt anyone would go to the effort of finding a zero-day in an antivirus just to get at some random person. Also you might want to change the wording there... Just saying.

I think a more likely route would be to bypass the AV entirely, by using some kind of runtime compression. e.g. I recently received a malware specimen that was detected by maybe 5 of the AVs on VirusTotal, and it was using an open source compression algorithm. It did all kinds of nasty stuff when I ran it through Anubis.

 

Just to be clear, I'm not actually suggesting to secure XP with NoScript and LUA only. I'm trying to determine what this starting point can address then build from there.

BTW, how does one attack an on-demand AV used only to scan downloaded files? I'm not looking to argue, only asking a valid question.

 

Understood, I also do this kind of thought experiment... Probably way too much actually.

The key thing here is that any kind of complex input parsing may be subject to vulnerabilities. Anything that processes arbitrary input - be it a firewall scanning packets, a word processor reading XML files, or an antivirus reading unknown binaries - may be subject to compromise through that input.

(In fact, Metasploit's exploit database has some examples of this - files that are malformed in just the right way to cause arbitrary code execution in certain AV engines. Most of them are rather old though.)

 

@GJ,

Yes, they might ban me again lol

I often wonder how much work would be involved in exploiting an AV. Very little, I'd imagine, depending on the product.

Bypassing AV is, as ever, easy. But exploiting is more fun.


@Wat,

When it scans the file it's taking in attacker controlled data. That's all that's needed. It's not as automated as a realtime AV, you'd still have to initiate the scan.

 

Okay, even though the file is just sitting static in the directory? how can it do any harm if it's not opened?

 

I actually wouldn't be surprised if AV developers have thought of this, and worked around it to some extent.

e.g. how difficult would it be to make a heuristics engine use the Chrome chroot trick?
- The driver that allows access to files, etc. runs in kernel mode, and copies data into the engine's sandbox.
- The engine runs in user mode, as root. The function handling actual malware analysis chroots into an empty directory as a sandbox, and then drops root privileges.
- When the code is done being analyzed, the function returns some small structure containing the results of the analysis.

Or something equivalent, you get the idea. Probably still vulnerable in theory, but in practice I think it would be much harder to attack.

 

It's not sitting static, and has in fact just been opened. The AV has to read the file into memory and run operations of some sort on it.

(If the file were an item of mail, the antivirus wouldn't be an X-ray machine; it would be some government employee in a hazmat suit opening the mail, checking it, and resealing it. In all likelihood both the letter and the suit are okay. But if the letter does contain something nasty, and the suit has a tear in it, you've got a problem.)

 

Wow I have to admit having no idea about this I was always under the impression the antivirus when used on-demand simply "inspected" the downloaded file's code, without having to actually open it in the process.

 

It doesn't have to "open" the file in the same way that e.g. a word processor would; in that sense, no, it's not opening the file. However, it is reading it (or parts of it) into memory, and it is running functions on the data.

If the data is maliciously crafted with knowledge of the nature of the AV scanning it, then yes, the AV could be fooled into executing arbitrary code.

I will again point out, though, that there are not many ITW examples of this.

 

Excellent description, thanks!

 

@Ronjor,

"Work smart, not hard" - perhaps the industry could benefit from observing that phrase a bit more.

@Wat,

Like GJ explained, it's reading in the file and performing analysis on it. That's complicated enough for it to be exploitable.

 

*Possibly* exploitable. But c.f. the lack of current exploits focusing on AVs, and also what I said above re sandboxing.

 

Yes, AV could be written with a much more powerful architecture, but there's some weird dissonance with AV's. On the one hand, their products are absolute **** and most people are laughing at them. On the other hand, they often have smart researchers and decent analysis, their backend research being incredibly interesting (I've seen incredible research from Mcafee devs).

I wouldn't really call it "possibly". There is no way to prove that it is exploitable, but it seems silly to assume that they aren't exploitable when they're complex programs dealing directly with attacker controlled content.