Bypassing SRP

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Go down

Re: Bypassing SRP

Post by ssj100 on 24/12/2010, 16:07

p2u wrote:Sure! Just don't rely on automated technology to save your [insert body part here]; do it yourself immediately after the files have been created successfully, or you might get burned when you're expecting it least...
I don't even know how to use this "automated technology" - out of curiosity, what are some of the programs that can achieve this?

By the way, this "automated" backing up process must mean that the external storage device is often (or always?) connected to the main system - bad idea, in my opinion - you'd always risk getting the external device infected (no matter how small the risk, it's still there). Instead, if the device is generally always isolated (disconnected), good luck to the malware trying to infect the device by jumping across air haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by apoptosis on 25/12/2010, 18:07

ssj100 wrote:
Sure, Microsoft may not have intended AppLocker to operate at kernel level specifically to prevent a malicious Office macro bypassing it, but lo and behold it does! Didier Stevens claims that AppLocker can't be bypassed from a Limited User Account without a Privilege Escalation Exploit, while SRP can be bypassed.

Finally, to drive home my point, what if the video I showed used a "arbitrary code execution vulnerability for some MS ActiveX component" which was able to bypass SRP and execute a malicious file, and then I posted another video showing that AppLocker successfully prevented this malicious file from being executed? This situation would have nothing to do with Macro protection or lack of. It would basically show that SRP is bypassed, while AppLocker is not. 1-0 to AppLocker.

Do you think that's reason enough to upgrade to Win 7?

apoptosis
Member
Member

Posts : 10
Join date : 2010-11-07

View user profile

Back to top Go down

Re: Bypassing SRP

Post by p2u on 25/12/2010, 20:46

apoptosis wrote:
ssj100 wrote:It would basically show that SRP is bypassed, while AppLocker is not. 1-0 to AppLocker.

Do you think that's reason enough to upgrade to Win 7?
If I may, I would say "no, not enough reason" since 1) AppLocker can be bypassed too with similar attacks and 2) you will have to buy one of the more expensive versions of Win7 to get it. Besides, with Win7 you get a lot of new attack vectors (Aero, Widgets, 124 or so services, instead of 86, just to name a few). And there's another point; you may know XP rather well, but Vista and Win7 are not so easy to configure to your taste, since MS has hidden a lot from the user and has rather drastically changed service dependencies, probably in an attempt to discourage disabling them. To give and example: while on XP you may safely disable the Task Scheduler, on Vista and Win7 you may not be able to boot the system if you do that, especially on a laptop. Even experienced administrators may have a hard time trying to get everything right. We are told that Vista and Win7 are "so new and so much safer", but it turns out that most malware and most exploits work equally well in Win7. Sorry to say so, but if you have the choice, stick to XP as long as you can.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bypassing SRP

Post by apoptosis on 26/12/2010, 07:58

Thanks Paul, I'll stick with XP as long as SRP is not under attack from real world malware.

apoptosis
Member
Member

Posts : 10
Join date : 2010-11-07

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 26/12/2010, 14:51

p2u, that's great to hear from a professional like yourself. And I was already planning to stick with Windows XP until at least 2014. Seems I have more reason to now!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by apoptosis on 29/12/2010, 07:16

It would be nice to see a POC pdf that bypasses SRP and test it against the recently introduced Adobe Reader X which comes with a sandbox.

apoptosis
Member
Member

Posts : 10
Join date : 2010-11-07

View user profile

Back to top Go down

Re: Bypassing SRP

Post by p2u on 29/12/2010, 15:34

apoptosis wrote:It would be nice to see a POC pdf that bypasses SRP and test it against the recently introduced Adobe Reader X which comes with a sandbox.
Does anyone happen to know why there should ever be active content present in ReadOnly PDF-files at all? Most of the time, it's the javascript implementation that is to blame for exploitation. But with every new update, javascript is again enabled. Is that just only because the Reader has to take a thumbnail screenshot of the documents you read, or are there any other good reasons? Even when you have removed Acrobat from startup; if you move your mouse in the direction of a PDF file (you don't have to open it), check your task manager and see Acrobat shine. It stays there even after you close the document. I hate this kind of behavior...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 29/12/2010, 15:48

p2u wrote:Even when you have removed Acrobat from startup; if you move your mouse in the direction of a PDF file (you don't have to open it), check your task manager and see Acrobat shine. It stays there even after you close the document. I hate this kind of behavior...
Yes, "AcroRd32Info.exe" pops into memory and stays there for about 15 seconds even after the document closes - really dislike this too, and I have no idea why it's implemented like that. I've even considered force sandboxing "AcroRd32Info.exe" haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by p2u on 29/12/2010, 15:58

ssj100 wrote:I've even considered force sandboxing "AcroRd32Info.exe" haha.
When you rename AcroRd32Info.exe into AcroRd32_Info.exe, the behavior stops, but then you are still left with uncontrolable automatic updates. I replaced Acrobat Reader with SumatraPDF; none of the PDF-exploits I've seen work with that one. Smile

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 29/12/2010, 16:04

How bizarre. So you're saying that "AcroRd32Info.exe" is required to disable automatic updates?

By the way, I just thought of a way to exploit this - by default, Sandboxie, DefenseWall etc don't automatically run this process sandboxed/untrusted. So if a hacker could place malicious code into the pdf file and use something like this technique, the user could be potentially bypassed without even opening the file. Scary stuff!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by p2u on 29/12/2010, 16:34

ssj100 wrote:How bizarre. So you're saying that "AcroRd32Info.exe" is required to disable automatic updates?
No, no. I phrased that incorrectly. I was actually trying to say that if legitimate applications behave like "the enemy" (settings that can't be undone through the interface by the average user), they should be removed.

ssj100 wrote:By the way, I just thought of a way to exploit this - by default, Sandboxie, DefenseWall etc don't automatically run this process sandboxed/untrusted. So if a hacker could place malicious code into the pdf file and use something like this technique, the user could be potentially bypassed without even opening the file. Scary stuff!
Yes, that's right. That's "user convenience" going a bit too far. Binary stream handling vulnerabilities are the worst.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 29/12/2010, 16:45

Thanks for the clarification. Again, this emphasises the need to be careful with what one recovers "out of the sandbox" and on to the REAL system. For example, it's probably unlikely you'll be hacked via an exploit when downloading and running a pdf file from "microsoft.com", but it'll probably be more likely if you downloaded it from "destroy_your_system.com" - if the malicious data doesn't make it on to your REAL system first, it can't do (much) harm.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by apoptosis on 30/12/2010, 04:33

ssj100 wrote:
By the way, I just thought of a way to exploit this - by default, Sandboxie, DefenseWall etc don't automatically run this process sandboxed/untrusted. So if a hacker could place malicious code into the pdf file and use something like this technique, the user could be potentially bypassed without even opening the file. Scary stuff!

The latest version of Adobe Reader doesn't have such vulnerability because it is sandboxed by default, right?

apoptosis
Member
Member

Posts : 10
Join date : 2010-11-07

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 30/12/2010, 09:26

I don't know anything about the latest version of Adobe Reader, so I'm afraid I can't help you there.

Didier has explained to me how this exploit works:
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/

Basically it involves a bug being triggered in the "explorer.exe" process (where the Adobe DLLs are loaded). Therefore, sandboxing the Adobe Reader processes will do nothing to stop this. However, sandboxing "explorer.exe" will contain this.

Given this piece of information, I have slightly modified my "security approach" - more specifically, I have slightly changed the way I manage newly introduced files on the REAL system. I'm hoping to do another video to demonstrate this.

Before, I was recovering newly introduced files straight to the desktop. Now, I have created a folder on the desktop called "Downloads". All newly introduced files will go directly into this folder. In this way, I will theoretically never need to browse the files with a REAL "explorer.exe". Again, similar programs like DefenseWall offer no such feature, and therefore people running programs like DefenseWall are vulnerable to these exploits.

If I wanted to delete the contents of the "Downloads" folder, I also wouldn't need to browse the folder with a REAL "explorer.exe" - I can use batch commands instead. If I wanted to copy or transfer something out of the "Downloads" folder (after verifying that it's probably safe with on-demand scanners), I would simply do so as per usual via the sandboxed "explorer.exe" window. If I wanted to copy something from untrusted USB drives, I would again use batch commands to transfer the files/folders into my "Downloads" folder.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by p2u on 30/12/2010, 12:20

ssj100 wrote:Basically it involves a bug being triggered in the "explorer.exe" process (where the Adobe DLLs are loaded). Therefore, sandboxing the Adobe Reader processes will do nothing to stop this. However, sandboxing "explorer.exe" will contain this.
Handlers in Windows are a mess; they just do anything automagically, especially if they are registered in the Explorer context menu (Wow! Ole! - pun intended).
If you don't want to sit in a sandbox, then the only good solution would be: install a PDF reader that doesn't display this automagic behavior.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 30/12/2010, 13:38

p2u wrote:If you don't want to sit in a sandbox, then the only good solution would be: install a PDF reader that doesn't display this automagic behavior.
And also hope that no one is trying to exploit that PDF reader I suppose.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by p2u on 30/12/2010, 15:07

ssj100 wrote:And also hope that no one is trying to exploit that PDF reader I suppose.
No idea. At least I have the benefit of "Security through Obscurity" or "Security through Diversity". Besides, I just don't download stuff from resources I don't know to be absolutely safe. Signatures don't mean anything to me, since they are bought, not earned. The "Trusted Computing" principle (let THEM decide what is trusted and what not) is flawed and dangerous.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bypassing SRP

Post by Scoobs72 on 31/12/2010, 01:09

p2u wrote:Signatures don't mean anything to me, since they are bought, not earned.

Very wise words. Security applications are becoming increasingly reliant on verifying signatures to determine whether the app is 'good' or 'bad'. That trust model broke down years ago with domain-validated SSL certificates (requiring the move to Extended Validation SSL certs), and the same may well happen with application signing. We're already seeing malware that's digitally signed and the trend is probably only going to increase.

Scoobs72
Member
Member

Posts : 28
Join date : 2010-11-05

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 31/12/2010, 01:21

By the way, have a look at Sandboxie's motto:


_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by p2u on 31/12/2010, 01:39

ssj100 wrote:By the way, have a look at Sandboxie's motto:
Nice.
P.S.: I assume that "IE" within the sandbox is just a coincidence? Very Happy

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 31/12/2010, 01:41

Perhaps haha. Or we could see it as an example I suppose.

Actually, I think when Sandboxie was in its early development phase, it was only programmed to run IE sandboxed.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by RichieB on 2/2/2011, 13:48

There is a bypass for AppLocker using VBA which works just as well for bypassing SRP. The POC is here.

RichieB
New Member
New Member

Posts : 7
Join date : 2011-02-01

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 2/2/2011, 13:51

Yes, that's been known for at least a week. Thanks for the reference though RichieB, and welcome to the forums!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by jna90 on 29/7/2011, 09:10

I just wanted to mention:
Good read this 5 page thread ! I've learned a thing or two now.
Thanks guys for the interesting read.

some speculation:
Supposedly the upcoming Windows 8 would be a lot safer, as what I understand about some articles that are written here and there on the net.

But then again, a system's security is as good as a user understands how the security works. I agree with p2u that understanding of how the operating system works, or how it implements or executes it's security is also helpful in maintaining a more secure environment.

I've installed windows a couple of times and of what I see is, when the installation is finished, that the user is automatically an administrator and not a Limited User.

I've installed various linux distro's and what I like to think as the fundamental difference between the two operating systems (windows vs linux) is that you enter a password in linux and choose to be an administrator, you still need root privileges or execute a sudo command to get certain things done.
Sure it is all configurable or it can be changed, but in linux it is a bit harder or less obvious to change these things.
And in linux you have a bit more control over what is accessible or executable or by whom. (umask, chmod).
At least, that is my opinion when you have the out of the box experience.
You install both OS and without any changes made by the user to the settings, the linux installation is more secure.
In my opinion that is of course, I don't like to say I know for sure, but I like to think this through my own experience.
And the root account, nowadays, is disabled by default in most mainstream distro's.

What I try to say is: fresh installation of linux: the user is LUA (or admin but NOT root!) by default.
fresh installation of windows: the user is admin (root) by default.
without any changes to the default settings while installing or when finished with installation.

Anyway, sorry I was a bit offtopic.
Again, good read and thanks for the info guys ! Cool


Last edited by jna90 on 29/7/2011, 09:29; edited 2 times in total (Reason for editing : fixing some errors)

jna90
Member
Member

Posts : 36
Join date : 2011-07-20
Age : 44
Location : Amsterdam, The Netherlands

View user profile

Back to top Go down

Re: Bypassing SRP

Post by ssj100 on 29/7/2011, 09:50

Yes, certainly Windows XP and before were flawed by default - on completion of installation, the default account is Admin. However, since Vista, Microsoft have attempted to improve this by changing the default account to a "pseudo-LUA" with the implementation of UAC.

Anyway, will be interesting to see what Windows 8 is like - I personally plan to move from XP straight to it if all goes well.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Bypassing SRP

Post by Sponsored content


Sponsored content


Back to top Go down

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum