Native hardening and exploit mitigation on Win7 vs. WinXP

Discussion in 'other anti-malware software' started by Gullible Jones, Nov 17, 2013.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Just to beat a dead horse a bit more...

    Windows 7 will be with SP1, no further updates.

    Windows XP will be with SP3 and IE 8, no further updates.

    DEP will be turned on globally for both OSes. Just to have a vague semblance of fairness, I'll leave UAC alone on 7. (Normally I'd turn it up to max.)

    Exploits will be via IE 8. Note that we already have some problems here - exploits against IE *need* a means of ASLR bypass on Win7, otherwise they'll be lucky to get as far as crashing the browser.

    The security programs tested will be Panda Cloud AV and Privatefirewall. These proved to be some of the weaker offerings on XP. I've yet to see how they do on 7.

    We'll start with XP, while the 7 VM installs. Oh yes - and I'll be taking screenshots.
     
  2. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I was wondering... why not conduct the tests with each OS fully patched? That would more accurately reflect the state most people's setups are in, and therefore be of the most relevance & help to people.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Because I need to have some exploits to work with, otherwise I won't get anywhere. If I could come up with zero-days as needed, I'd be sending this stuff to Microsoft, not posting it here. :)

    I could probably get away with patching XP, actually; I think some of the Metasploit exploits are unpatched for XP even in the latest IE 8. But running remote memory exploits against a fully patched Windows 7 VM is a nonstarter. I know because I already tried it.

    (And that alone should tell you something...)
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    First, Panda on XP as admin:

    Screenshot - 11172013 - 11:28:36 AM.png

    Stay classy, Panda. :rolleyes:

    With DEP on, ie_cbutton_uaf doesn't work. ie_execcommand_uaf works fine though:

    Screenshot - 11172013 - 11:55:48 AM.png

    From there on, disabling the antivirus is not terribly difficult. One BSOD later, we have this:

    Screenshot - 11172013 - 11:57:37 AM.png

    Antivirus disabled and gone. Wiping the AV service does trigger a system crash, but with most of the services already killed and removed before then, an attacker would have no problem setting up persistence.

    But remember, this is on XP. Let's see what happens now on 7.
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Windows 7, running as "limited admin" with default UAC settings...

    One of the exploits succeeds:

    Screenshot - 11172013 - 12:48:50 PM.png

    A privilege escalation attempt fails to actually escalate privileges:

    Screenshot - 11172013 - 12:53:59 PM.png

    Another privilege escalation failure:

    Screenshot - 11172013 - 12:54:38 PM.png

    Panda catches an attempt to escalate privileges and get persistence via the task scheduler:

    Screenshot - 11172013 - 12:55:49 PM.png

    Another exploit failed, would you like to try again?

    Screenshot - 11172013 - 12:57:44 PM.png

    ... And, as far as I can tell, I haven't even got out of the IE 8 sandbox yet.
     
  6. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Lesson: Dont use XP. Embrace the change!!
     
  7. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    341
    More like "Lesson: Don't use IE. Embrace the change!!"

    And if you for some reason can't live without IE (on XP), than you should also use Malwarebytes Anti-Exploit.

    Did I miss something?
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    That works until Firefox, etc. stop supporting XP. Then the fun starts all over again. Better IMO to stay ahead of the game.
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,060
    Location:
    Netherlands
    Yes
    IE on Vista or higher have an additional OS feature using LOW Intergrity levels, which is the basis of the sandbox quoted by GJ, so I would agree with his advice "to stay ahead of the game". Dropping IE for Chrome (only other browser having a sandbox) would show same difference (fail on XP, pass on Vista and higher). Since this is a security forum, please don't mention FireFox (it has no sandbox, so FF has not stayed ahead of the game because security wise FF still uses "XP age" technology)
     
  10. guest

    guest Guest

    I can see you're having fun. :D But thanks for the tests anyway. :thumb:

    Even better in Windows 8, IE runs under AppContainer IL. Not sure if it's lower than Untrusted IL though. :doubt:

    True, but Foxy has the best script filtering extension ever created. Although I just discovered that NoScript itself seems to be overrated.
     
  11. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    341
    I didn't mention Firefox.
     
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Yeaaah. Only three more tests to go...

    AppContainer is a whole other thing. IIRC it's supposed to be a good deal stronger than integrity levels. However I believe it only applies to the Metro version of IE.

    I'm an avid user of Noscript on Linux, so I'm rather interested in what makes you say this... :)
     
  13. guest

    guest Guest

    I think he was referring to Gullible Jones, the OP.
     
  14. guest

    guest Guest

    Just some discussions I read about client-side XSS protection. I haven't really look into it yet. Probably I will create a thread about it once I see the need for it.
     
  15. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Hmm. The distro I'm using comes with BEEF as well as Metasploit, maybe I could take a look at that too...
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi GP

    I am at a total loss as to what this even proves and how it could be at all valuable to me.

    I will probably have two machines useing XP after the cut off date. But they will be full patched, and I will be using Firefox, and a combination of security software, far far stronger then what you are using.

    Pete
     
Loading...
Thread Status:
Not open for further replies.