How Secure is LUA with SuRun?

Discussion in 'other anti-malware software' started by danielrego, Aug 24, 2008.

Thread Status:
Not open for further replies.
  1. danielrego

    danielrego Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    15
    Hey folks, after reading the excellent threads here on using a Limited User Account in Windows XP in conjunction with SuRun, decided to give it a try, and I have to say, I was VERY impressed.

    My question is, how secure exactly is the LUA/SuRun combo? Or how secure exactly is LUA itself in XP SP2? What are the possible exploits and vulnerabilities that can render such a system in state of compromise? eg. Possible ways for a malicious process to get around the access restrictions or gain administrator priveleges.

    Any help would be greatly appreciated!
     
  2. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    There are 4 attack vectors that can defeat lua-surun

    1. web-script based privelidge escalation
    2. web-script based buffer overflow attack
    3. web-script exploits a bug in a browser plugin
    4. trusted application downloads an update, you give it admin rights, but it turns out that the update is malicious

    Some of these attacks can be blocked by enabing DEP

    All vectors can be blocked by tools like comodo firewall with defence+

    The 4th attack vector will be blocked by an upcoming version of comodo (might take some time though (months/years))
     
  3. danielrego

    danielrego Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    15
    From your post, it seems that only vulnerabilities of an LUA involve web scripting (except no. 4). In that case, I'm assuming that script blocking systems like NoScript for Firefox would solve these three. Is this correct?
     
  4. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    Noscript would do the trick for 99% of those attacks.

    However as soon as you allow 1 site to use scripts you're open to attack again. (Sites you trust can be comprimised after all)
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are a number of ways the system could be compromised when running LUA and SuRun on XP. Here are some:

    a) buffer overflow in highly privileged code, such as an antivirus program
    b) alteration of files, registry, or other objects from 3rd-party programs that have poorly configured security permissions - see The Case of the Insecure Security Software.
    c) malware hooks or modifies the memory of a process that has been given admin rights by SuRun, which allows the malware to do anything the modified process with admins rights can do

    The thread Is Limited User Account enough? Not really is relevant reading.
     
  6. danielrego

    danielrego Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    15
    That sounds fairly ominous, if you ask me!

    A classical HIPS (or perhaps even a behaviour based one) would make dealing with these problems a breeze, but one of the reasons i ventured into the whole LUA/SuRun method was to get rid of some of my security apps (HIPS being one).

    Is there some other workaround? I currently run an LUA account on WinXP SP2 with SuRun and Avira AntiVir Personal in realtime.
     
  7. Arup

    Arup Guest

    If you are running Avira Free consider adding Defender in Spynet mode which makes it into a real time HIPS and when combined with DEP for all and LUA+SuRun its a formidable combo. In case you are running an x64 OS you are even more secure due to patch guard.
     
  8. Dogbiscuit

    Dogbiscuit Guest

    I've seen a limited user account breached on XP Home SP2. Given how that happened I concluded:

    1) If you keep software updated and take reasonable care, a limited user account by itself will protect the OS from most remote drive-by downloads (but not the limited account itself).

    2) But, if a user is very careless (clicking on anything), or if there is another user on the system intent on gaining admin access, LUA can be breached eventually with some work. An example would be a user unknowingly allowing the download of a file which includes a local privilege escalation exploit (it can't be executed remotely). The user negligently executes the file.

    3) Adding a software restriction policy to XP Home is safer than using LUA alone, and the restricted account is then protected from most remote drive-bys as well. For a little extra inconvenience, changing some autostart registry entries would make the account even more secure.
     
    Last edited by a moderator: Sep 2, 2008
Loading...
Thread Status:
Not open for further replies.