Essay Writing Tests, Angielski, Writing
ESP.Ervas - Livro - A Cura Pelos Remédios Caseiros - Guia De Ervas E Medicina Natural - Raunei Iamoni Verif, ANGIELSKIE
Evolution 2 SP KL 5. Podręcznik. Język angielski 2013 Beare Nick PEŁNA WERSJA, Podręczniki, lektury
Everyday activities (Codzienne czynności) - scenariusz zajęć, Wychowanie Przedszkolne, Język angielski w przedszkolu
Essentials of Child Psychopathology - Linda Wilmshurst, Psychologia i psychiatria po angielsku
Evolutionary Developmental Psychopathology - Ian Pitchford, Psychologia i psychiatria po angielsku
Erich von Daniken - Z powrotem do gwiazd, ebooki, Daniken von Erich
Every Goodbye Aint Gone - An Anthology of Innovative Poetry by African Americans Modern and Contemporary Poetics, Angielskie [EN](4)(2)
Essentials of Sociology A Down to Earth Approach - aZ03 HENS 7052 REF, Angielskie [EN](4)(2)
Essex.Boys.2000.DVDRIP.XviD-EDRP, Malin71
Escaping from Microsoft’s Protected Mode Internet Explorer , # Angielskie Ebooki
[ Pobierz całość w formacie PDF ]//-->WHITE PAPERSecurity SolutionsEscaping from Microsoft’sProtected Mode Internet ExplorerEvaluating a potential security boundaryIntroductionIn Internet Explorer 7 and Windows Vista, Microsoft introduced a new browser security feature called“Protected Mode”. According to Microsoft, this mechanism “significantly reduces the ability of an attack[against Internet Explorer] to write, alter or destroy data on the user’s machine”. A clearer descriptionis that the feature attempts to protect the integrity of the client machine in the event the browser iscompromised in an attack and prevent malware from being persisted on the targeted machine.1,2AbstractThe level of protection offered by ProtectedMode Internet Explorer®is not well understoodand there are common misconceptions aboutits status as a security feature. This researchset out to discover the full extent of howProtected Mode can protect users fromzero-day memory corruption vulnerabilitiesin Internet Explorer and third-party extensions.As a result of this research, a bypass of thefeature was discovered along with a numberof generic attack patterns which must beprotected against to prevent futurecircumvention of the feature.This paper will describe why this is not currently the case in Internet Explorer 7 or 8 for remote codeexecution vulnerabilities, discuss the limitations of the feature by design, identify generic attackspatterns that can be used to bypass the feature (without user intervention) and discuss someinconsistencies in the underlying access control implemented in Microsoft®Windows®.The Microsoft Security Response Centre (MSRC) does not regard Protected Mode as a securityboundary, but there is the intention for it to become a true security boundary in a future version ofInternet Explorer. Once it becomes a formal security boundary, Microsoft will patch any successfulbypass of the mechanism within their monthly security updates. However, since the feature’sintroduction, a wide range of sources at Microsoft and elsewhere have implied or stated securityclaims about the feature, for example:•“The idea behind Protected Mode IE is that even if an attacker somehow defeated every defensemechanism and gained control of the IE process and got it to run some arbitrary code that codewould be severely limited in what it could do.” – IEBlog (2006)•“What’s interesting about this is the fact that Firefox doesn’t have the benefit of Protected Modeunder Vista, which can somewhat mitigate the damage that can be done if Internet Explorer 7is exploited by [the ANI] vulnerability.” – ZDNet (2007)•“IE7 users on Vista also benefit from Protected Mode, which helps prevent the installation ofmalicious software, even in the event that an exploit results in code execution.” – IEBlog (2009)344567These claims cannot carry any serious weight without Microsoft regarding the feature as implementinga security boundary. Later in this paper, a generic bypass of the feature is described which invalidates theabove claims about the ability of the feature to protect against memory corruption vulnerabilities. As faras I am aware, Microsoft has publicly stated only once that Protected Mode is not a security boundary.3Confusion about the protection offered by Protected Mode even exists amongst securityresearchers, for example:•“Windows Vista introduced Protected Mode Internet Explorer which was a step in the right direction.An exploit against Internet Explorer on Vista and 7 will run with Low Integrity, so it can’t changeor harm your system. It can only upload all of your sensitive information to the attacker (Phew!).”– Dino Dai Zovi (2010)•“Likewise, Internet Explorer 7, when running on Windows Vista, is sandboxed on OS level as a whole”– Michael Zalewski (a.k.a. lcamtuf) comparing Protected Mode with the “Chrome Security Sandbox”in the ‘Browser Security Handbook’.891Escaping from Microsoft’s Protected Mode Internet ExplorerWhether or not Protected Mode or User Account Control (UAC) should be considered as securityboundaries has been a topic of debate, but attention has mainly focused on the later of these twomechanisms.I am only aware of a single publication, not written by a Microsoft employee, whichdiscusses the security of the feature post-release. Therefore, this paper will not consider limitationsof UAC and will focus on Protected Mode and Mandatory Integrity Control (MIC).10,11,1213Both Protected Mode and User Access Control are built upon Mandatory Integrity Control and bothprovide elevation routes between different integrity levels. As a result, both need to be understoodin order to properly assess the security benefit of using Protected Mode Internet Explorer.The rest of this paper is divided into five sections:1. Design and implementation of Mandatory Integrity Control2. Design and implementation of Protected Mode Internet Explorer3. Generic attack patterns against Protected Mode Internet Explorer4. Bypassing Protected Mode Internet Explorer5. Conclusions and RecommendationsSections 1 and 2 will lay the groundwork for the reader to understand sections 3 and 4.It is hoped that this paper will accurately inform the reader of the true benefits of using ProtectedMode Internet Explorer, both now and in future, when the feature is upgraded to the status ofa formal security boundary by Microsoft.1. Design and implementation of Mandatory Integrity ControlMandatory Integrity Control (MIC) is a form of mandatory access control introduced in Windows Vista.It is an access control policy under the control of the operating system and not the user which allowsthe concept of a less-trusted process to be introduced. This mandatory access control complements thediscretionary access control policy defined by the owners of objects which is based on users and groups.In this mandatory access control scheme, each securable object (e.g. processes, files and sharedsections), has an access control entry (ACE) in the System Access Control List (SACL). This ACE is referred toas the ‘mandatory label’ (SYSTEM_MANDATORY_LABEL_ACE) and there is only a single ACE of this type,any surplus mandatory labels are ignored and leave the Access Control List in a non-canonical form.1415The Security Identifier (SID) specified in this access control entry represents the level of “trustworthiness”(or integrity level) of the object which the SACL belongs to and the ‘mandatory label rights’ defines oneor more MIC policies which apply to the object. These SIDs are of the form:S-1-16-*, where ‘*’ is the value represents the integrity level represented by the SID.Before any discretionary access control is performed (based on users and groups), the mandatoryaccess control check is done using the integrity level of the requesting process (derived from itsprimary token) and the mandatory label of the object being accessed. If this check passes, then thediscretionary access check can proceed.The most common policy is “No Write Up” which prevents processes at lower integrity levels fromwriting to objects at higher integrity levels and gives the feature its more common name of “IntegrityLevels”. This prevents a less-trusted process within a user’s session from corrupting more trustedobjects within the same user session, even when the discretionary access control policy would allowit. In this way, Mandatory Integrity Control introduces the concept of less-trusted applications runningunder a single user account.There are two other policies defined; “No Read Up” and “No Execute Up”.The “No Read Up” policy prevents read operations from lower integrity processes and providesconfidentiality. This is used, for example, to prevent the reading of the virtual address space ofa higher integrity process.The “No Execute Up” policy is used by DCOM to control the launch and invocation of out-of-processCOM objects, which could run at a higher integrity level to the COM client. If the DCOM subsystemwas not integrity aware, then higher integrity COM objects could be made to performed actions onbehalf of a lower integrity process.162Escaping from Microsoft’s Protected Mode Internet ExplorerThere is not a default policy because each type of securable object has a different set of policies thatapply to it. For example, processes are marked as both No Write Up and No Read Up. This prevents alower integrity process from reading or writing the virtual memory space of a higher integrity process.There are a total of six integrity levels explicitly defined by Windows: Un-trusted, Low, Medium, High,System and Protected (which is used for implementing Digital Right Management). But there areactually 216 integrity levels as this value is represented by a 16 bit number. The starting integritylevel for a logon session varies according to the user:Integrity LevelSystemHighMediumUserLocal SystemNT ServicesElevated AdministratorUn-elevated AdministratorLimited UsersWhen a new process is launched, the child process inherits the integrity level of the parent processor the parent process can launch the child process with a lower integrity level, but not a higher one.When a process accesses an object, including another process, the integrity level of the requestor hasto dominate (be greater than or equal to) the integrity level of the resource; if it does not, then therequested access is checked to see if it conflicts with the MIC policy on the resource. For example,if the No Read Up policy is specified then read requests will be rejected.There are two main types of access rights, generic access rights (read, write and execute) andobject-specific access rights (e.g. terminate a process, read a file, or add a file to a directory). Since MICpolicies are defined in terms of generic access rights, the mapping to object-specific access rights isimportant, as they determine precisely which operations are disallowed by the policy. Once the fullset of permitted operations on higher integrity objects is known, we can look for operations whichmay facilitate privilege escalation.This mapping between object-specific access rights and generic read, write and execute permissionsis defined per resource type and stored in a GENERIC_MAPPING structure. The structure is passed toaccess control functions in the Windows API and is defined below:17,18typedef struct_GENERIC_MAPPING {ACCESS_MASK GenericRead;ACCESS_MASK GenericWrite;ACCESS_MASK GenericExecute;ACCESS_MASK GenericAll;} GENERIC_MAPPING;typedefGENERIC_MAPPING *PGENERIC_MAPPING;As an example, generic write access to a file maps to the right to modify or append to a file’s contentsand change a file’s attributes on the file system.Specific mappings which were deemed to be of interest are listed below:•The PROCESS_TERMINATE access right is granted on a higher integrity processes, butTHREAD_TERMINATE is not. This allows any process in the same session to be terminatedby a less trusted process. If the security of a system relies on a process to be running at all times,then granting this access right may introduce a security issue.•The KEY_CREATE_LINK access right allows registry soft-links to which point to any keywithin the same registry hive, regardless of the integrity level associated with the target key.HKEY_CURRENT_USER is one example of a registry soft link. This may allow a medium integrityprocess to be tricked into modifying a medium integrity registry key. Also, a number ofvulnerabilities have recently been discovered in this functionality which could be exploitedby low integrity processes.193Escaping from Microsoft’s Protected Mode Internet Explorer•The GENERIC_WRITE access rights are granted on a higher integrity Mutant (Mutex), but not on aSemaphore or an Event. Mutants, Semaphores and Events are all synchronisation objects.•Requesting no access on a higher integrity file is permitted, but this is not true of other types ofobjects. This is merely an inconsistency, which may or may not have any security impact.These GENERIC_MAPPINGs may have been influenced by a number of factors including applicationcompatibility. But now that they have been chosen, they are unlikely to change and therefore definepotential avenues of attack when trying to elevate between integrity levels.Until now, only securable kernel objects have been discussed, but there are a number of other resourceswhich are not subject to Mandatory Integrity Control. One example is network sockets. This resulted inthe first bypass of Protected Mode Internet Explorer. This issue was fixed in Windows Beta 2.20Mandatory Integrity Control does not cover a number of other resources including the Service ControlManager; this would allow weak service access control to be exploited, even by a low integrity process.The most important limitation of Mandatory Integrity Control is that it only provides integrity of theoperating system. As a result, compromise of a low integrity process will not protect the confidentialityof a user’s files. But by protecting the integrity of a user’s data, recoverability can be provided; dueto the fact that Protected Mode cannot be bypassed then Malware will be unable to persist acrossreboots. A side-effect is that if you do not ever reboot your workstation, Malware will be able to persistfor long periods of time.2. Design and implementation of Protected Mode Internet ExplorerTo protect the integrity of the user’s machine in the case of successful exploitation, un-trusted websites are rendered in low-integrity Internet Explorer tabs. In Internet Explorer 8, these tabs sit side byside with other tabs rendered at other integrity levels though the Loosely-Coupled Internet Explorerfunctionality (LCIE), whereas in Internet Explorer 7 these tabs would have resided in different browserwindows entirely. In both cases, an Internet Explorer broker process coordinates tabs and windowsboth inside and outside of Protected Mode.21The broker process runs at either medium (un-elevated) or high integrity (elevated) and providesfunctionality to the low integrity browser windows via the Protected Mode API. Communicationis implemented via Local Procedure Calls (LPC).22The Protected Mode API is very restricted and many of the actions require user intervention to succeed,therefore this API has not been extensively investigated as part of this research. There is another interfacebetween the broker and low integrity processes which is implemented using a shared section andmutex called “LRIEElevationPolicy_” and “LRIEElevationPolicyMutex” respectively, but again this hasnot been investigated.An application compatibility shim layer (IEShims.dll), which intercepts function calls (by inserting hooks)in the low integrity process, allows the Internet Explorer process to transparently run at low or mediumintegrity by rewriting file system and registry paths and redirecting process launch requests to thebroker process. The following APIs and their variants are hooked:•CreateProcess()•File path functions•CoCreateInstance()•Registry access functions•CoGetClassObject()•GetProcAddress()•File access functions•LoadLibrary()ShellExecute() is not hooked by the shim, but it may call CreateProcess(), which is hooked.Calling the CreateProcess, CoCreateInstance or ShellExecute will transfer the process launch requestto the higher integrity Internet Explorer broker process. The Internet Explorer broker process will thenmake a decision on the application launch as per the policy stored in the system registry at:(HKLM|HKCU)\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\234Escaping from Microsoft’s Protected Mode Internet ExplorerQuoting from Microsoft’s documentation, the policy options for how Protected Mode should launcha registered broker are:Value32ResultProtected Mode silently launches the broker as amedium integrity process.Protected Mode prompts the user for permission tolaunch the process. If permission is granted, theprocess is launched as a medium integrity process.Protected mode silently launches the broker as a lowintegrity process.Protected mode prevents the process from launching.Examplewinword.exeAll other processes(default setting)iexplore.execmd.exe1Through the hooking of the low integrity Internet Explorer process, the Protected Mode API exposedby the Internet Explorer broker process and other application compatibility techniques, a large numberof in-process Internet Explorer extension work in low integrity without modification. However, othermore complicated add-ins and applications require modification. As a result of this incompatibilityand Microsoft’s dedication to backwards compatibility, not all Internet Explorer zones render theirmember sites in Protected Mode. Each Internet Explorer zone defines a set of security policies forpages rendered in that zone and enabling Protected Mode is one of the available settings.In the latest versions of Internet Explorer 7 and 8, the default policies for workstations are:ZoneInternetLocal Intranet*Trusted SitesRestricted SitesLocal Computer** Protected Mode was previously enabled for the Local Intranet Zone.25Internet Explorer PolicyOnOff**OffOnOff24* The Local Intranet Zone is disabled unless the workstation is domain joined, or the user explicitly enables the zone when prompted.This policy means that whether Protected Mode is enabled or not is predicated on the zonemembership of a page being loaded, which has significant implications for the feature.3. Generic Attack Patterns against Protected Mode Internet ExplorerIn this section, a number of attack patterns are described which either individually or combined,could allow the protection offered by Protected Mode to be bypassed in different circumstances.The section focuses on attacks which do not have standalone value such as local kernel exploitsor which become more significant when attacking Protected Mode Internet Explorer.The first pattern is that of a remote Internet Explorer Zone escalation. In this attack, an attacker has aweb page rendered in one zone, normally in the “Internet Zone”. From this webpage they are able toget malicious content rendered in a more permissive zone, where Protected Mode is disabled, such asthe “Local Intranet Zone” or the “Trusted Sites Zone”. A number of ways to do this are possible including:•Spoofing a website in the Trusted Sites List which is accessed over HTTP instead of HTTPS.•Having a web server address which is reachable through an address which is recognised as amember of the Local Intranet Zone (e.g. UNC paths, unqualified hostnames).•Persistent or Reflective Cross Site Scripting (XSS) attacks against sites rendered in an InternetExplorer zone where Protected Mode is disabled.26Also, any URL parsing bugs in the implementation of IInternetSecurityManager::MapUrlToZone()would also allow Internet Explorer Zone escalation.27A local Internet Explorer zone escalation attack is the same as a remote Internet Explorer zone escalationattack except the attacker is already able to execute arbitrary code on the same machine as the victim.5 [ Pobierz całość w formacie PDF ]
