[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimjNfLBTjZASX6-Af9D4gWgaQ653TfB-FekMJ-=@mail.gmail.com>
Date: Tue, 7 Dec 2010 02:06:53 +0900
From: Dan Kaminsky <dan@...para.com>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: verizon vs m$
> Did you read the Reg article? It has nothing to do with the definition of a "security boundary." It's not about that at all. It's about a title tease of "bypassing protected mode" with associated inaccurate content when the whole thing could be summarized with "Protected Mode is not enabled by default in the Intranet zone." The "boundary" conversation, while interesting, is irrelevant here.
>
> I know times are tough and click-throughs on ads need to be maximized, but I don't think misrepresentation of technical content is appropriate. I can understand why the Reg would write the article, but I asked Guninski if the reason he posted it was because he considered Protected Mode being disabled by default in the Intranet zone some sort of security issue.
Read the actual research.
===
One vector is through name squatting attacks in the user’s
“BaseNamedObjects” (BNO) kernel object
namespace. In this attack, an object with a fixed name can be created
which is then opened by an
application that trusts the object not to be malicious by virtue of it
existing in the local namespace
(which was previously a reasonable assumption). This issue has been
given as an example of why
Protected Mode is not a security boundary by Microsoft.
Another vector is through leaked or duplicated handles. Access control
decisions are made at the point
that an object is opened, so existing handles may provide access to
resources that are only accessible
to more privileged contexts if they are transferred between processes.
Handles in low integrity
processes which have write access rights to higher integrity objects
can be considered privileged.
It was through this vector that Skywing escaped from Protected Mode
using a leaked handle.
The last vector is through objects which are deliberately shared
between low integrity processes and
higher integrity processes. This includes the Window Station kernel
object which is shared between
all processes within the same interactive logon session. With full
access to the Window Station, low
integrity processes also have access to the Global Atom Table, Window
Station properties, the user’s
clipboard and the “\Default” Desktop object. Such objects can be
detected through a tool written as
part of this research that locates objects open in low and higher
integrity processes; to determine if two
handles refer to the same object, the kernel mode pointers to the
object’s data structure are compared.
The Global Atom Table is used to store both integers and strings which
are each indexed by an integer.
A simple fuzzer was created to fuzz this table, which only caused a
null pointer dereference in “Process
Explorer” and corruption of Internet Explorer UI elements. Dynamic
Data Exchange (DDE) inter-process
communication occurs through the Global Atom Table and this may be
subject to more interesting
attacks via malicious atom table manipulation.28 Internet Explorer
also uses the Global Atom Table
heavily, but it would seem mostly for User Interface related functionality.
===
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists