Exploits

Hi @ all.

I have some questions about browser exploits and techniques against them.

Let me set up a scenario:

A normally trustful website (e.g. disney.com) is infected by the exploit kit ‘unique pack’.
The compromised WebPage contains an injected script. This will cause the browser to visit the site encoded in the script where an exploit kit will test various exploits against the browser and various other installed applications.

In this scenario the Flash Player and the Adobe Reader are vulnerable and there is no AntiVirus installed.

The PC is infected by the downloaded and executed malware.


My questions:

a) If i visit the infected Site with FireFox 3.5 + NoSkript and FlashBlock, what do i see looking in the NoSkript menue for allowing skripts?

a 1) Do i see something like this:

a 2) Or is the skript implemented in the disney.com domain in a way that NoSkript has no chance to seperate them?

Cause on very much websites you need to turn on the skrips and if a 2) is the case i can't see any protection offered by NoSkript.


Question b)

If i visit the infected site with Iron browser and the --save-plugins switch active will the "sandbox/dropped rights" technique protect me against the code execution?



Question c)

What does Opera offers against exploits? I cant see any NoSkript oder Sandbox Feature...


kind regards

Habakuck

 

This is a common scenario, where a normally trustful website is compromised by code injection which redirects the user to a site with malware code. With Opera configured properly, the PC is not infected.

Regarding exploits against the browser

These malware packs such as Gpack and Mpack contain exploits targeting IE6 mostly, a couple against IE7. None have any against Opera.

Regarding exploits against Flash, Adobe, etc

These are triggered by scripts on the redirected site, such as:

​

You will notice that the browser must have both javascript and plugins enabled for the exploit against the Adobe Reader to work. With either one disabled, the exploits fail.

Disabling Plugins globally in Opera is easy in the Preferences. The function of the Plugin is to load/run the file automatically in the browser window. Disable the plugin and the file doesn't do anything automatically.

Also Opera permits controlling how specific file types are downloaded. Configuring PDF, etc to prompt for download prevents the file from loading into the browser automatically, so the exploit fails.

Controlling scripts per site is easy in Opera. You disable scripts globally and configure per site. If I permit scripts on disney.com:

​

These settings will be stored by Opera and invoked each time I visit this site. Now, I will click on a link to the Disney Store which will take me to a different site. Checking the Site Preferences, scripting is not enabled.

​

This demonstrates that scripts configured on the parent site do not carry over to linked sites.

A realworld malware example: user is redirected to a site with a fake scan to trick into installing a rogue AV product. The code on the redirected site loads several javascript files which set up the images for the fake scan:

Code:

script src='fileslist.js'>/script
script src='progressbar2.js?v=1.1'>/script
script src='common.js'>/script

With scripting disabled, I see a blank page upon redirection:

​

If I enable scripting and reload the page, the fake scan image appears:

​

Proper configuring of the Browser nullifies most of the web-embedded exploits.

I am not familiar with configuring the other browsers you mention.

----
rich

 

Thank you very much Rich! That was a top-notch answer!

One thing that i didnt get yet:

If i enable the skripts for disney.com and there is an injected malicious skript will cause that the malicious skript is working as well as the legitimate skripts on that site. Am i right?

After that the skript will redirect me to another site where the exploit kit is waiting.
So i will see a random url* in the adress bar and can think about enabling skripts on that site too. *Is that url always so obviously malicious?
But if i would do so the exploit can do its dirty job.

Disabling plugins seems to be very good in preventing exploits but things like foxit reader or flash are necessary for me. Otherwise i couldn't see any videos or have a quick view on pdf files.
I moved to foxit reader because of recurring exploits for Adobe but i could not find a way arround the damm macromedia flash player.
And i think there were some exploits against the foxit reader to..

Therefore i am very interssted in either use Opera, FF+NoSkript or Iron with its sandbox. But i dont know how good the sandbox is. In some hacker competitions the iron browser was the only one wich was not hacked. It was exploited but the sandbox provided further code execution... But what a shame: i didn'd found any competition where opera took part in.

 

You are welcome.

Yes, any script will execute if scripting is enabled.

Seeing a URL - that depends. If it is a script exploit, it may start running before you see a URL. Otherwise, I suppose a Site Advisor might flag a malicious URL, or an Anti-Virus Product might flag something in the code. Yes, the exploit would do its dirty job if permitted to execute.

I understand that loading in the browser allows you to start reading before the complete document downloads. If this is important, then you have two other protections from the drive-by download: a firewall that monitors outbound connections, and a security product with execution protection. See a description here:

http://www.urs2.net/rsj/computing/tests/pdf/

Yes, many. Foxit tended to patch more quickly than Adobe, however, I noticed a number of victims who were using an unpatched version.

​

----
rich

 

Always good info and screenies from Rmus. As Rmus uses Opera, i'd like to add, here's what happens when i try to view a PDF with Foxit online with FF



I always get promted.

Plus you can block referrers if you configure FF by typing in about:config and then type in referrer and then double click to Toggle it to False.



A better way though which will enable to allow/deny referrers in real time on the fly, is to install the Request Policy extension in FF.



You will also see some other extensions i've installed which i highly recommend too.

 

hi, i wil just suggest to sandbox your browser. It,s simple, no hassle, and rock solid. Also you don't need to sacrifice any functionality, no pop ups, no need to make a lot of settings too.
Geswall, defencewall or sandboxie, any one wil do the job.

 

Hi aigle,

Are you advising people not to bother with browser settings -- just let drive-by attacks run such as PDF and then empty the sandbox afterwards?

----
rich

 

I run my FF sandboxed here. No problem. But i will switch to Win7 64bit and there is no sandbox prog at all.
So i came to Iron which uses a tiny sandbox.

Thank you StevieO! That is exactly what i see here.
But i see one problem: If i want to see this pdf cause i think it is trustful i will allow NoSkript to open that file. If the pdf file is comprised i am in trouble.

In conclusion i can not see any protection offered by NoSkript. If i visit disney.com and want to see what the site is about i have to allow the skripts exposing me to exploits.

 

IMO a sandbox is easier to manage, more safe and give atlest same level of security. Also there is no loss of usability/ funcionality.

Choice is yours. Do you want to click n click to make preferences per site basis? or just install a sandbox configure it and forget.

BTW I did so for long time( tweaking prefernces on per site basis) until I fed up and now my Opera runs with every default option enabled( except some cookie settings), within GesWall. I don,t get any problems and don,t need to bother for a lot of settings. I love security that is install and forget.

I some one doesn,t want/ like sandboxing for any reasons, then he/ she always has the option to play with browser settings whether it is Opera, IE, or FF etc etc

 

Do you know any sandbox for 64 bit?

 

Not ATM.

U reminded me of haute secure. I miss that software.

 

Thanks for your explanations!

----
rich

 

as you wrote iron is one choice but it,s sandbox doesn't work for the plugins.

 

it does with the --save-plugins switch! And that is really cool!

 

Hmmm. I never knew that. Can u explain this pls?

 

One addon i find handy is JS View. It's not meant to be a security tool in any way, it's a programming/development tool.

But in the context menu you can view all the Javascript on the page:



Then if you click on any of the Javascript or CSS entries, it opens it up in a View Source so you can see the scripting. It does help if you understand Javascript, so you can see what it's doing before enabling it but the average person can normally tell if it's calling script from some .cn domain, the code is obfuscated/packed or calling things like Flash or Pdf by skimming over it.

Anyhow, it may be helpful to someone.

 

save-plugins is wrong: it doesn't "sandbox" the plugins

the correct switch is --safe-plugins

http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/chrome_switches.cc?view=markup

 

You can switch to Full domains view and allow only top level script (i.e, disney.com script), so third party scripts (i.e, malicious scripts) are blocked

http://noscript.net/features

 

It will drop the rights for any plugin. So the plugins are integrated in the sandbox.
And of course it is --safe-plugins. Was a bit late yesterday...

 

I think that is the default setting. But my question was: Are the malicious skripts implemented in the top-level-document in a way witch NoSkript can not "see"?

 

Typically the javascript is inserted in the top level document and it pulls the exploit from a third party domain which noscript can see/block.

However.. Take Wilders for example, there's nothing stopping me from appending the malicious javascript to a pre-existing js file for instance:

Code:

wilderssecurity.com/clientscript/vbulletin_menu.js 

Then uploading the actual exploit to the attachment or avatar directory so it's fully contained on this domain. If you have js allowed for this domain you will get hit.

If a site is compromised anything can happen, if your favorite software vendors site/server was compromised their .exe could be tampered with and you download it thinking it's a trusted file.

Noscript alone isn't fool proof, it's about risk reduction and an additional layer that could very well save your backside.

 

The default setting in the menu is "base 2nd level domains", because is simpler for average user.

 

Thanks, all of you.

But it,s a bit over my head. Do i have to make a custom short cut for iron?

 

That's a cool site, whoever built that must be very talented.

Yes, create a regular shortcut. Then right click > properties and you will see the path to iron in quotes. After the last quote, add a space then --switch

Replace switch with whichever command you want to enable/disable. You can add multiple switches with a space:

chrome.exe --enable-user-scripts --enable-sync --bookmark-menu