Native hardening and exploit mitigation on Win7 vs. WinXP

Just to beat a dead horse a bit more...

Windows 7 will be with SP1, no further updates.

Windows XP will be with SP3 and IE 8, no further updates.

DEP will be turned on globally for both OSes. Just to have a vague semblance of fairness, I'll leave UAC alone on 7. (Normally I'd turn it up to max.)

Exploits will be via IE 8. Note that we already have some problems here - exploits against IE *need* a means of ASLR bypass on Win7, otherwise they'll be lucky to get as far as crashing the browser.

The security programs tested will be Panda Cloud AV and Privatefirewall. These proved to be some of the weaker offerings on XP. I've yet to see how they do on 7.

We'll start with XP, while the 7 VM installs. Oh yes - and I'll be taking screenshots.

 

I was wondering... why not conduct the tests with each OS fully patched? That would more accurately reflect the state most people's setups are in, and therefore be of the most relevance & help to people.

 

Because I need to have some exploits to work with, otherwise I won't get anywhere. If I could come up with zero-days as needed, I'd be sending this stuff to Microsoft, not posting it here.

I could probably get away with patching XP, actually; I think some of the Metasploit exploits are unpatched for XP even in the latest IE 8. But running remote memory exploits against a fully patched Windows 7 VM is a nonstarter. I know because I already tried it.

(And that alone should tell you something...)

 

First, Panda on XP as admin:



Stay classy, Panda.

With DEP on, ie_cbutton_uaf doesn't work. ie_execcommand_uaf works fine though:



From there on, disabling the antivirus is not terribly difficult. One BSOD later, we have this:



Antivirus disabled and gone. Wiping the AV service does trigger a system crash, but with most of the services already killed and removed before then, an attacker would have no problem setting up persistence.

But remember, this is on XP. Let's see what happens now on 7.

 

Windows 7, running as "limited admin" with default UAC settings...

One of the exploits succeeds:



A privilege escalation attempt fails to actually escalate privileges:



Another privilege escalation failure:



Panda catches an attempt to escalate privileges and get persistence via the task scheduler:



Another exploit failed, would you like to try again?



... And, as far as I can tell, I haven't even got out of the IE 8 sandbox yet.

 

Lesson: Dont use XP. Embrace the change!!

 

More like "Lesson: Don't use IE. Embrace the change!!"

And if you for some reason can't live without IE (on XP), than you should also use Malwarebytes Anti-Exploit.

Did I miss something?

 

That works until Firefox, etc. stop supporting XP. Then the fun starts all over again. Better IMO to stay ahead of the game.

 

Yes

IE on Vista or higher have an additional OS feature using LOW Intergrity levels, which is the basis of the sandbox quoted by GJ, so I would agree with his advice "to stay ahead of the game". Dropping IE for Chrome (only other browser having a sandbox) would show same difference (fail on XP, pass on Vista and higher). Since this is a security forum, please don't mention FireFox (it has no sandbox, so FF has not stayed ahead of the game because security wise FF still uses "XP age" technology)

 

I can see you're having fun. But thanks for the tests anyway.

Even better in Windows 8, IE runs under AppContainer IL. Not sure if it's lower than Untrusted IL though.

True, but Foxy has the best script filtering extension ever created. Although I just discovered that NoScript itself seems to be overrated.

 

I didn't mention Firefox.

 

Yeaaah. Only three more tests to go...

AppContainer is a whole other thing. IIRC it's supposed to be a good deal stronger than integrity levels. However I believe it only applies to the Metro version of IE.

I'm an avid user of Noscript on Linux, so I'm rather interested in what makes you say this...

 

I think he was referring to Gullible Jones, the OP.

 

Just some discussions I read about client-side XSS protection. I haven't really look into it yet. Probably I will create a thread about it once I see the need for it.

 

Hmm. The distro I'm using comes with BEEF as well as Metasploit, maybe I could take a look at that too...