lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 02 Apr 2007 06:21:08 +0200
From: Haroon Meer <haroon@...sepost.com>
To: Larry Seltzer <Larry@...ryseltzer.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow ->
 Its ok, its in IE Protected Mode

Hi Larry..

Larry Seltzer wrote:
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode? You need to get the user to run the ANI outside
> of IE.

Assuming a compromised IE session is relatively harmless is pretty
dangerous.While low privileged browsing is a welcome idea it is
unfortunately (mostly) a solution to yesterdays problem.

In the past we used to worry about zillions of machines being
compromised and becoming zombies.
Today, we are realizing more and more that its all about the data.

ex:
I run as mh on my machine. Everything of value on my machine is
accessible to me. My music, my videos, my documents, my email, etc.
Getting root/system on my machine gets you bragging rights, but if you
were serious about hurting me, then mh is the only account you really
need to compromise.

By default, IE uses a NoWriteUp policy. Meaning that a low IL mh shell
still gets to read everything of mh's by default (Check out Mark
Minasi's chml to convert this to a more secure NoReadUp :
http://www.minasi.com/vista/chml.htm)

A low integrity shell (as a result of an IE compromise) may not be able
to write files to most locations on my machine, and so prevents my
machine from being "owned" in the traditional sense, but wont stop me
from losing all of my data.

/mh

-- 
Haroon Meer, SensePost Information Security
PGP: http://www.sensepost.com/pgp/haroon.txt
Tel: +27 83786 6637



 ** CRM114 Whitelisted by: From haroon@...sepost.com **

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ