Buffer Overflow + HIPS?

Discussion in 'other anti-malware software' started by EASTER, May 25, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    While reviewing a few pages back in the Buffer Overflow Topic and taken in by some curious consideration of zopzop's
    https://www.wilderssecurity.com/showpost.php?p=1228511&postcount=56
    brief mention of an app named OZONE claiming to protect against all the recent buzz over buffer overflow exploit, i installed it and it set itself up in a number of areas within the SSDT Table as evidenced from Ice Sword's SSDT scale. You can see it sets up alongside EQS hooks.

    http://www.securityarchitects.com/faqs.html

    From what i been able to determine so far OZONE adds itself also as a sort of HIPS itself if you study it's positioning and test it against various safe samples that try to access Physical Memory for one, and also is intercepted a keylogger i deliberately installed so far.

    It seems to alert when it determines something has a potential to force itself to compromise wherever/whatever it's designed to guard against. I only just installed it tonight so i'm early yet in pushing some samples at it to see what all it will alert to, and yes just like a HIPS, it requires the usual decision to allow or deny but the alert box is small and unobtrusive.
    It repeats it's warning each boot up that i have my keylogger running which i find interesting.

    The site might be somewhat outdated (dunno) but it proves to stand in within the SSDT Table in many areas for interception/alert/abort capability. I want to try to unhook it, haven't tried that yet, but RKU froze up instantly when i ran it, but Ice Sword 1.22 clearly displays it's positions.

    Also wonder if anyone regards this other app named BoWall that makes mention of patching potential Dll's susceptible to buffer overflow exploits if i read it right and if anyone is actually tested it.
    http://www.securesize.com/BOWall/description.shtml

    Are these legit prevention techniques for today's use you think? Or simply outdated?

    EASTER
     

    Attached Files:

    • 23.jpg
      23.jpg
      File size:
      152.5 KB
      Views:
      8
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    UPDATE

    Don't bother trying or testing OZONE

    It was a complete flop! Easy as pie to not only unhook but rarely alerted to serious potential threats. IMO, a very badly written driver, and not only that but looks to have loaded dll's into every running processes which was a pure pain to eradicate just from the Programs Files folder, but unlatched them.

    Not only that but i get sick and tired of these so-called security apps that design their crafts to lock permissions in the registry but leave it up to the end user or customer to have to manually unseat the permissions just to free up Enum\Legacy settings they take up camp in.

    This is not the only app i've had to add all users in registry permissions to delete their sticky LEGACY settings, and some leave a trail of them a mile long to clean up.

    Oh well, no more worse for wear right? Back to the hunt for the ultimate RAW shield that in Windows i don't believe even exists.

    The only clear alternative i see for solid safety is a good ISR like the Genuine FD-ISR or Returnil & SandboxIE or some other form of virtual duplication of the operating system because it's way too easy for malware to revolt the permissions and protections in too many ways even when supposedly guarded by security apps.

    Limited User and apps like AE or DeepFreeze that can abort launching executables is about as good as it can get, as well as scripting protection, because once executables are passed thru, i don't see no other way to shield them off from interacting with the O/S.

    Virtual Systems looks like the master of control IMO.
     
  3. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    yeah i should have mentioned aigle was kind enough to run a few tests for me and said not to bother, this was in a PM though, i guess i should have mentioned it in that thread.

    for buffer overflow i just use comodo memory firewall and hope it really works as advertised.
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    ThreatFire protects against buffer overflow, uses almost the same RAM as memory firewall (less than 8 MB), & protects against a lot of other stuff as well. Check HERE, and especially HERE.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Consider the following documented attacks using buffer overflow:

    =============================================
    How do Storm, NotFound and other threats infiltrate so many PC's?
    http://blog.threatfire.com/2007_08_01_archive.html

    Control will slide down the sled to our shellcode, and the attackers will effectively
    download and execute a set of binaries stored on another web server.
    ===============================================

    W32/Mydoom.ag@MM
    http://vil.nai.com/vil/content/v_129630.htm

    The webcam.htm page that is served results in a buffer overflow occuring in Internet Explorer.
    Shell code then executes, which instructs the local machine to
    download a remote file ... and then execute the downloaded file.
    =====================================================

    http://www.finlandforum.org/viewtopic.php?t=7685
    Iframe buffer overflow

    A hacked Comedy Central server hosted the exploit code in HTML format. Included in the document was Javascript to perform the buffer overflow. The shell code created by the exploit was 330 bytes. It contained instructions to
    download an executable from hxxp://www.plasia.com/xxxxxxx
    ======================================================

    W32/Zotob.worm
    http://vil.mcafeesecurity.com/vil/content/v_135433.htm
    Exploits MS05-039: Vulnerability in Plug and Play

    When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to
    download and execute ... haha.exe.
    =========================================================

    The above attacks have this in common: the shellcode downloads and executes malware.

    Is anyone aware of documented attacks using buffer overflow
    where shellcode does other than download and execute malware?


    ----
    rich
     
    Last edited: May 26, 2008
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    thank you for simplifying it so people like me can understand what exactly these types of buffer overflow attacks do.

    i do have a question though. how does this specific type of attack (download and execute) function in a limited user account protected by a software restriction policy?

    for example if IE is exploited and it downloads and tries to run an executable, shouldn't this be blocked by the software restriction policy (the execution part not the download part)?

    i mean in a LUA you can only write to your own specific folder and with the SRP you can only run executables from c:\program files and c:\windows. the only place the exploited IE can save the file is the very same place no files are allowed to execute. unless i'm missing something.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I am not familiar with the technical aspects of Limited User Accounts, but with Software Restriction Policies, I've sent SpikeyB (who uses SRP) many links to sites with remote code execution exploits (attempts to download/run an executable) and none of the exploits have been successful. SRP prevents the running of any executable not already on the system.

    Anyone with a HIPS or other product with execution protection can also easily prevent any Remote Code Execution exploit from installing/running an executable.

    It doesn't matter the method of attack: .wmf file; AutoRun.inf file; Buffer Overflow; any of the IE exploits (if unpatched).

    If the payload is a binary executable, then the attack fails with any of the above protection.

    Note that this type of protection is not analyzing the Buffer Overflow Shellcode, as some products purport to do. It simply blocks the code from carrying out the payload at the point that an executable attempts to install/run.

    For myself, I put this issue to rest a long time ago. I'm revisiting it because of the recent surge of articles about Buffer Overflow, motivated in part by a number of security products which are focussing on Buffer Overflow, and concern of some that there may be current Buffer Overflow Attacks whose payload does other than download a malicious executable, which would require other types of protection.

    I've not been able to find any at the moment.


    ----
    rich
     
  8. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    makes sense thanks. i just wanted to make sure.

    ah..... good point. i'd also be interested in knowing if anything like that exists in the "wild".
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    It would been great if this OZONE was further developed, it did exhibit some interesting preventions, but defintely not enough to rely on as an automatic sequence HIPS/Buffer Overflow protector as it first appeared.

    Was interesting to give it a run though, and thought sure it covered enough additional SSDT entries to be of some reasonable use.

    EASTER
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What examples of buffer overflow exploits did you test?


    ----
    rich
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    COMODO's for one.

    I became more interested however when it abruptedly alerted to a keylogger i keep running plus it stopped some Device\Physical Memory accesses.

    I'm gonna give this another shot sometime this week, as i only briefly run it through some tests and wasn't satisfied with the results because it appeared to seize up on some samples i tested it with and forced many manual resets.

    I must add i allowed it to run with EQS at the time too.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A search this evening for active buffer overflow attacks which do not download malicious executables returned nothing.

    In discussing this with people at sans.org, one handler wrote that he doesn't track in the wild exploits based on
    Buffer Overflow exploits that are not related to downloading malicious executables.

    Another didn't know of any current ones, and reminded me of the "Morris" worm, probably the first to use a Buffer Overflow exploit which did not download an executable.

    A description of it, and of a couple of other worms:

    ===============================================

    1988 Internet Worm
    http://snowplow.org/tom/worm/worm.html

    An Internet worm, it takes advantage of bugs and security holes to travel from network to network.

    Actually, the intention of the worm (judging from decompiled versions of its code and the statements of its designer) was to do nothing at all. At least, nothing visible. The worm was designed simply to spread itself to as many computers as possible without giving the slightest indication of its existence.
    ==================================================================

    Code Red [Jul 2001]
    http://en.wikipedia.org/wiki/Code_Red_worm

    The worm spread itself using a common type of vulnerability known as a buffer overflow.
    The payload of the worm included:
    ==> It defaced the affected web site
    ==> It tried to spread itself by looking for more IIS servers on the Internet.
    ================================================

    SQL slammer [Jan 2003]
    http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)

    The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic,

    it exploited a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products

    Home PCs are generally not vulnerable to this worm unless they have MSDE installed.
    ====================================================

    Oracle XDB FTP Services Buffer Overflow Vulnerability is being exploited in the wild. [Mar 2003]
    http://oit.ohio.gov/alerts/OracleXD...owVulnerabilityisbeingexploitedinthewild.aspx

    On March 19th, 2003 Internet activity targeting this vulnerability commenced. The vulnerability being exploited is a buffer overflow which could result in giving a remote attacker the ability to execute arbitrary code that could result in a Denial of Service attack and/or give the attacker the ability to capture an active user(s) session.

    In order for this vulnerability to be exploited there would need to be a database that requires authentication (i.e., valid login required) from a user, or the FTP and HTTP servers would need to enabled in the XML Database. HTTP and FTP services are enabled in the affected products by default. Additionally, for a remote exploit, the database must be directly connected to a network in which there is no intervening application server, firewall, or other network security device that would block the attack.
    =================================================

    A quick search for active buffer overflow exploits shows that most target specific applications.
    Here are some - most have been patched:

    Windows Media Player
    Windows RealPlayer
    Foxit Reader "util.printf()" Buffer Overflow Vulnerability
    Yahoo Jukebox vuln goes wild ...
    Microsoft PowerPoint
    Adobe Acrobat
    Apple Quicktime

    The attack requires that the victim open a specially crafted file.
    Two examples:

    ==============================================
    Adobe Reader [Feb 2008]
    http://forums.whatthetech.com/Adobe_Reader_exploit_in_the_wild_t88615.html
    ===========================================

    Apple QuickTime exploit goes wild [Dec 2007]
    http://www.vnu.co.uk/vnunet/news/2204914/quicktime-exploit-goes-wild

    ===============================================

    Assuming the user chooses to run one of these files, HIPS products will stop the malware from installing/running.

    Is Buffer Overflow any more dangerous an attack vector than other remote code execution types?
    In some cases, the same strings are seen in both non-buffer overflow, and buffer overflow types.

    In these two, the attacks do not require the user to click on a file, rather, just going to a web site which has code to download these files is sufficient (assuming the vulnerability is not patched):

    Non-Buffer Overflow: Animated cursor file vulnerability MS05-002

    Code:
    GetProcAddress_LoadLibraryA_GetSystemDirectory
    [b]A_urlmon.dll_[/b]
    
    [b]URLDownloadToFileA_[/b]
    
    [b]WinExec[/b]_http://intimatephotoalbum.net/web.exe
    
    Buffer Overflow: Windows Metafile (WMF) Buffer Overflow Remote Code Execution MS06-001

    Shellcode analysis -- download n' exec
    HIPS, Software Restriction Policies, Vista's UAC, will easily block both of these attacks
    which attempt to download/install an executable.

    Is additional separate Buffer Overflow protection necessary?

    So far, I've not found examples of current in-the-wild Buffer Overflow attacks that don't download executables.

    Still looking...

    ----
    rich
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Rmus

    Do you hold any opinion to OZONE?

    Have you tried it at all and if so any opinions either up or down to your findings?

    EASTER
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Easter,

    Sorry, I have not tried that product.


    ----
    rich
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I don't give up that easy.

    I'm right back with OZONE again and taking it to task.

    Seems like what once was a proof-0f-concept at one time now viable enough for security functions.

    My aim is to identify just what those security functions are and where their limitations are evident.

    One thing is for sure, it LOCKS down for sure access to outside entry to Device\Physical Memory. As well as some other processes.

    Will post more as they become available and are interesting enough to share findings with. It covers a lot of SSDT Table instructions for sure, and that's my interest right now, to see how well they protect and if they can self-protect from unhooking.

    EASTER
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you explain (in layman's terms) how this can happen? How is "access to outside entry" achieved?

    Thanks,

    ----
    rich
     
    Last edited: May 31, 2008
Loading...
Thread Status:
Not open for further replies.