Java runs with different integrity level in Internet Explo. vs. low integrity Firefox

@m00nbl00d,

okay, thanks for tips on chml.

Maybe you are right. I dug through some of my pm's and I see Sully mentioned junction points, but those are actually present in both Vista and Win7, so I think I'm confusing that with integrity levels.

 

No problem.

What you're mentioning is about context menu, which there's a limitation to the amount of entries there can be. Windows 7 works a bit differently, and it allows to pull extra entries, which otherwise would be normally hidden. (Sully can always clarify this, but that's how I remember it.)

-edit-

Actually, I believe it has to do with the fact that Windows doesn't always remember the same path, or something like that. I'm confused now.

 

It's really confusing to me

BTW, I just put powerbroker back on the vm and maybe there's hope yet. I think setting low IL mostly causes problems, as it did with Firefox, so I tried something different:

I set IL to medium, and then I set "Deny" on numerous privileges (I wasn't really sure what to choose, so I went with my instincts and chose a whole bunch that looked like candidates ) so I ran Firefox briefly in the VM's user account, then took a screenshot of the security tab, and it looks like it is at least, even though it's medium IL, maybe more restricted than it normally would be. See under the Process Explorer Security-> privilege tab. It looks to have fewer privileges than it normally would. Check out the shots and let me know what you think. MrBrian, please also comment.

 

There is a difference in Cascading Context Menus as m00nbl00d suggests - actually win7 uses them and prior versions don't, at least not past the first cascade.

I cannot recall right now as I have been really swamped with other concerns, but I did find some anomolies in directory/junctions on win7 vs. vista, which would effect potentially.

Perhaps though of more concern to this thread is what happens when you declare an Integrity Level. chml and runasil offer more features than icacls, if you need them. But for basic usage such as changing an IL from Med to Low, any of them will work. To get the same effects that chml/runasil offer, you would need to either use secedit or do some fancy footwork with exactly how you go about using icacls along with renaming/moving/copying/deleting a specific file/folder. It is all about as clear as mud

Suffice to say that one can normally find the directory/file that needs to be "excluded", and modifying the IL of that object can achieve success. Tracking it down is another matter.

I am curious though as to just what this exploit achieves in a typical UAC situation. If the shell is at Medium IL, and IE is in Protected Mode at Low IL, and Java is run at Medium IL, is the worry that there will be tampering with %userprofile% items? Without a way to trick the user into elevation to Admin via UAC, what is the payload doing in userland?

Sul.

 

@ wat0114

If you'd like to understand a bit more about privileges:

-http://msdn.microsoft.com/en-us/library/ms878695.aspx
-http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx

 

I hope I'm understanding this exploit Java thing right; considering that Java runs with Medium level and the exploit is successful and installs malware in the system, why would there need to exist the UAC variant?
Sure, if the attacker can get kernel access, that's great (not to us lol), but if all the attacker wants is to steal credentials and keep a low profile for as long as possible, why not? Mission accomplished, the way I see it.

Someone else could shed a few more lights... as mine are about to go out... sleep time.

 

Thanks m00nbl00d, there's a lot there to learn about but I doubt I'll dive in to it too much for a while anyway. Since I have the vm I can experiment at will, trying different combinations of denied privileges to see what reduces the security impact of an application (in this case Firefox) without breaking its functionality. The selections I made actually do break it for displaying Flash items, so I'm not sure what needs to be granted. This could potentially be a powerful method in concert with other security measures like LUA and applocker/srp of reducing the rights of selected applications, especially Internet-facing apps, but I'm not sure how to set up the powerbroker policy for firefox.exe to achieve this. I'm not sure how MrBrian gets it to work at low IL, because that prevented Firefox from even launching when I tried it.

 

I checked out the privileges for firefox.exe on my real machine with Process Explorer. The only one enabled is SeChangeNotifyPrivilege. These four are disabled: SeIncreaseWorkingSetPrivilege, SeShutdownPrivilege, SeTimeZonePrivilege, and SeUnlockPrivilege.

If you're going to run Firefox as low integrity, you first have to mark certain folders as low integrity. Did you do so? Then also, in the PowerBroker policy for firefox.exe, I'd probably check "Apply rule to all processes launched..."

 

Thanks MrBrian. The last part I did do but I did not mark any folders with low IL (didn't know I had to ). I'll have play again a bit later.

 

I'm wondering if Java running as medium integrity has the effect that encountering a Java exploit would allow malware to do things such as set itself up to autorun for the given user account, in effect bypassing the low integrity sandbox.

 

One would imagine so. I haven't examined all the autorun keys to see what thier ACEs are. I imagine though that the "user" has rights on most of them. Modifying the specific registry keys to be modified by an admin token would possibly eliminate many such issues. In this manner, a Low IL process such as IE could encounter a java exploit, and because java is running at Medium IL, it is allowed to, for example, modify registry locations that the "user" level token can access.

Assuming that there are no prompts to trick the user into elevating via UAC, then "risky" registry keys would be read only for restricted tokens, and need the elevated token for modifications.

I don't really get into this sort of thing normally. I like to let those who specialize in finding these things give the details, so maybe my direction is flawed.

Sul.

 

Well MrBrian, I've hit yet another brick wall with powerbroker. I did all that was recommended in the link but when I try to open Firefox I get an "Firefox is already running...." pop-up, then I hit okay to close but it was never running in the first place If you do try it sometime and it works for you, please do post what needs to be done.

Thank you for your help.

 

Why don't you try it with either one of the three tools I mentioned?

 

That error message is mentioned here also.

 

I feel very much tempted to suggest you ignore PowerBroker for the moment. On my setup, it seemed to have conflicts with Comodo Defense+. (or maybe a misconfiguration on my part...not yet confirmed) I think it probably has to do with the fact that both are running in kernel-mode. I don't know if it conflicts with Sandboxie (you may want to check if you're using both together).

Anyway, you may want to try this. Copy, paste the following and save it as a CMD file. I named it as "Set Protected Mode on Firefox.cmd".

If you're running 2 accounts and using SuRun, then you may want to elevate the above file with SuRun so that it applies to the current user account....

 

Actually, is more like this:

Code:

@echo off

icacls "%programfiles%\mozilla firefox\firefox.exe" /setintegritylevel low
icacls "%programfiles%\Mozilla Firefox\plugin-container.exe" /setintegritylevel low
icacls "%programfiles%\mozilla firefox" /setintegritylevel (OI)(CI)L /t

icacls "%UserProfile%\appdata\local\mozilla" /setintegritylevel (OI)(CI)L /t
icacls "%UserProfile%\appdata\local\temp" /setintegritylevel (OI)(CI)L /t
icacls "%UserProfile%\appdata\roaming\mozilla" /setintegritylevel (OI)(CI)L /t

 

Thank you safeguy and m00nbl00d. I may try that in the vm, although it's not crucial I get it to work. It seems placing low Il on certain apps could cripple them somewhat, and cause other unexpected behaviour as well. Something tells me I should already be satisfied with the security mechanisms I already have in place, and leave well enough alone

 

I found a malicious URL that, on both Internet Explorer (with Protected Mode on) and Google Chrome, seems to use a Java exploit to silently run malware and uses an autorun location to persist itself. Using Process Explorer, I observed that one of the Java processes launched the initial malware .exe. The test was done on a Windows 7 x64 virtual machine with nearly everything at default settings and that hasn't been updated in approximately 9 months. Java Runtime Environment v6 Update 12 x86 was used. The latest version of Google Chrome was used. The URL didn't seem to do anything malicious when Java wasn't installed. The URL also didn't seem to do anything malicious in either browser when a later Java Runtime Environment, v6 Update 20 x86, was used instead of v6 Update 12 x86.

These results are not surprising to me, given the previous posts that indicated that the Java processes have medium integrity in these browsers.

I didn't test low integrity Firefox running the Java processes as low integrity. I anticipate that one of these two scenarios would occur (assuming that no anti-execution software is being used, realtime antivirus doesn't flag the malware executable, etc.):
Scenario 1: Malware .exe downloads to a low integrity location and runs, but can't persist after reboot because low integrity Java cannot write to autoruns locations (unless one has manually made autoruns locations have low integrity).
Scenario 2: Attempted malware .exe download to a non-low integrity location fails and thus cannot run.

I also tested EMET v2.0.0.3. I used max EMET protection for all Java executables. EMET didn't prevent the malware from running in this case.

Making matters worse is that Java doesn't use DEP or ASLR by default.

Protect Your Computer: Turn Off Java.

From http://noscript.net/: (bolding added by me)

 

One more on doing without:
http://www.theregister.co.uk/2011/02/17/java_security_threat/

 

Sounds like they are trying their hardest to get your PC infected with this load o' rubbish of a plugin.

 

Then why not keep Java updated, and run HIPS, an antivirus or better yet SRP or AppLocker and now the risk becomes extraordinarily mitigated. I refuse to cripple my web surfing experience by running away, tail between the legs, from Java just because it's a target of the malware producing community. As I've mentioned before, unless my security measures are breeched, I will continue pretty much status quo. Someone well known in this forum once posted that maybe people don't trust themselves, in response to the extreme measures they take in securing their machines.

 

There isn't much of a "web browsing experience" left unique in java, "cripple" your web browsing experience is more of a joke than anything else. With HTML5 on the horizon, there will be even less of a reason. I've yet to encounter a website that needs it in over 2 years. Plugins shouldn't be required to surf the net, and soon they won't be.

 

While that is your experience, others still need Java, not out of choice perhaps.

Here's a link to problems that some Chrome users faced (or still face):
http://code.google.com/p/chromium/issues/detail?id=62076. Take a look at comment #56 at least.

What happens in the future is another matter but, for some people, avoiding Java altogether may not be practical.

 

Why is it that people always link Java to web browsers? Java isn't required only to allow certain websites to display Java related content; there are applications that require it, and without it... well...

For example, the application provided by the IRS here requests Java to be installed. The problem is that people have no idea what Java is all about; they just know is something they need for the application to work, hence not knowing how to disable its plugins in their web browsers. Heck, they don't even know what plugins are, even less disabling them.

Not having Java isn't very realistic for a large number of people.

 

I'm well aware of that. If you took a moment to actually read my comments you'd realize I'm describing MY experiences and I haven't told him to remove Java. The one time where I recommend removal of Java is where it's not directed at anyone (on the first page), and I strictly state "If you can live without it". Was that hard for you to understand or?

My response is to the fact that removing Java does not inherently "cripple your internet experience", ESPECIALLY for the average user.