lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 6 Dec 2010 20:32:37 +0000
From: Ven Ted <v3nt3d@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fwd:  verizon vs m$

---------- Forwarded message ----------
From: Ven Ted <v3nt3d@...glemail.com>
Date: Mon, Dec 6, 2010 at 8:31 PM
Subject: Re: [Full-disclosure] verizon vs m$
To: John Lightfoot <jlightfoot@...il.com>


 "the payload can create a web server listening on any port on the loopback
interface, even as a limited user at low integrity"

I'm only going from what the paper says - but that indicates to me that you
create a web server from protected mode, creating an intranet server that
didn't previously exist, so you're not pwning anyones intranet, and you
don't need to already be running as a medium integrity process to serve the
malicious intranet page.


On Mon, Dec 6, 2010 at 8:27 PM, John Lightfoot <jlightfoot@...il.com> wrote:

>
>
> <snip>
>
> Once the initial remote exploit has been used to execute arbitrary code
>
> </snip>
>
>
>
> I think Thor’s point is if your Intranet is pwned such that it’s hosting
> remote exploits, you’re already screwed.
>
>
>
> It’s a configuration issue, anyway, so it’s easy enough to mitigate
> against.  My question is why did MS choose to disable Protected Mode by
> default in the Local Internet Zone?  I’ve only run across one application
> that won’t run in Protected Mode, it seems like it should be on by default
> for all zones.
>
>
>
>
>
> On Mon, Dec 6, 2010 at 1:49 AM, Thor (Hammer of God) <thor@...merofgod.com>
> wrote:
>
> I don't understand how Dan arrived at "Researchers bypass Internet Explorer
> Protected Mode" for the article title.  Protected Mode isn't being bypassed
> at all - the "researchers that figured out a reliable way to bypass the
> measure" apparently just noticed that Protected Mode is disabled by default
> in the Local Intranet Zone.
>
> Is this something you are concerned about?  This would obviously only be
> exploitable by accessing sites on one's own intranet by specifically using
> intranet nomenclature (and trusted sites, but the user has to add those).
>  Also, the article (or the researchers) are incorrect about the default
> settings for the Intranet zone - it's Medium-low, not Medium.   If the
> problem one is trying to fix is based on attackers compromising intranet
> sites and then posting code for unpatched vulnerabilities that would still
> end up only running in the user context, then you've got much bigger
> problems, no?
>
> I'm just wondering why you are brining attention to the article, or really,
> why it was written in the first place.
>
> t
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Georgi Guninski
> Sent: Sunday, December 05, 2010 1:26 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] verizon vs m$
>
> in a world like this, verizon kills exploder bugs:
>
> http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/
>
> http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf
>
> the language doesn't seem passionate:
> -----
> Finally, Microsoft and other software vendors should clearly document which
> features do and do not have associated security claims. Clearly stating
> which features make security claims, and which do not, will allow informed
> decisions to be made on IT security issues.
> -----
>
> lol
>
> --
> joro
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ