Mailing List Archive

Exploiting memory corruption vulnerabilities on Internet Explorer 8
Microsoft has released Internet Explorer 8 on March 19, 2009 and up to now
there's no reliable method to exploit memory corruption vulnerabilities on
it?

I mean, on IE6 and IE7 we had SkyLined heap spray technique, first seen in
the IFRAME overflow exploit [1] which have been used by almost every IE
memory corruption exploit so far. Internet Explorer 8 was enhanced with DEP
and ASLR protections, making heap spray useless. Then Mark Dowd and
Alexander Sotirov published their great paper - Bypassing Browser Memory
Protections [2] providing some excellent techniques, mainly the .NET binary
technique which bypasses DEP and ASLR which was used by Nils on the latest
Pwn2Own to own Internet Explorer 8 RC (Release Candidate) [3] and was used
to mass-exploit other vulnerabilities [4]. One day after Nils owned IE8RC,
Microsoft released Internet Explorer 8 RTM and blocked the option to load
.NET DLL’s from Internet zone and Restricted sites zone. Due to the fact
that most of IE exploitation doesn’t occur in Intranet/Trusted sites/Local
machine zone, this makes the .NET DLL technique irrelevant most of the
times.
So my question is - Is there no reliable method to exploit memory corruption
vulnerabilities in Internet Explorer 8?


[1] http://milw0rm.com/exploits/612
[2] http://taossa.com/archive/bh08sotirovdowd.pdf
[3]
http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
[4] http://milw0rm.com/exploits/8969

--
Best wishes,
Freddie Vicious
Re: Exploiting memory corruption vulnerabilities on Internet Explorer 8 [ In reply to ]
FYI: ASLR & DEP can be bypassed on x86, there's just nothing public at the
moment.

Cheers,

SkyLined

Berend-Jan Wever <berendjanwever@gmail.com>
http://skypher.com/SkyLined




On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious <fred.vicious@gmail.com>wrote:

> Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no
> DEP/ASLR there... But as you said, so far there's no known "catch-all"
> technique against IE8.
> Along with other security features (
> http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx)
> this basicly means that IE8 is the most secure web browser nowadays?
>
> On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott <jared.demott@harris.com>wrote:
>
>> I'm not aware of any catch-all technique just for IE8, though there are
>> a few common ones like return oriented programming. Application
>> specific techniques are also common when third party extensions are
>> involved.
>>
>> --
>> __________________________________________
>> Jared D. DeMott
>> Principal Security Researcher
>>
>>
>
>
> --
> Best wishes,
> Freddie Vicious
> http://twitter.com/viciousf
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Re: Exploiting memory corruption vulnerabilities on Internet Explorer 8 [ In reply to ]
On Thu, 01 Oct 2009 21:55:37 +0200, Berend-Jan Wever said:

> FYI: ASLR & DEP can be bypassed on x86, there's just nothing public at the
> moment.

Is that "I believe it can, but there's no proof yet", or "based on non-public
sources, I know for a fact it can"?
Re: Exploiting memory corruption vulnerabilities on Internet Explorer 8 [ In reply to ]
> Along with other security features
> (http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx)
> this basicly means that IE8 is the most secure web browser nowadays?

If memory serves me right, it's been a while since we've witnessed
successful, large-scale exploitation of memory corruption flaws in any
browser, and it's probably not the most common exploitable security
lapse these days.

This is partly because many of the modern defenses - such as DEP/NX,
ASLR, canaries, lower privileges / sandboxing - are becoming more
prevalent across all browsers and operating systems; partly because
browser seem to be doing a lot of in-house fuzzing (for MSIE, Firefox,
and Chrome, this is probably pretty evident); and last but not least,
in part because of the changing landscape for security disclosure:
researchers are heavily incentivized to sell vulnerabilities instead
(keeping the public as such generally safe, but probably greatly
increasing exposure windows for targeted attacks).

In the browser world, many other problems can have profound security
consequences, however; browser chrome privilege escalations, zone
fenceposts, even universal XSSes (made more serious by the fact more
and more of our sensitive data is handled by web applications), and
other design errors that allow much simpler paths of privilege
escalation (sometimes including system compromise) are taking the
center stage, particularly for malware distribution and other
large-scale attacks. In this department, most vendors have several
skeletons in the closet (Microsoft with content sniffing and zone
model complexity, Firefox and some other browsers with privileged
JavaScript used to implement extensions and UIs, etc).

Anyhow - in the end, I would be tempted to say that the differences
between browsers are much less pronounced that the media feels
compelled to say; but this new fierce competition between vendors is
exceptional, highly notable, and very beneficial for the industry in
the long run. For example, weren't it for Firefox claims of superior
security and the ensuing market adoption, we would probably not see a
sudden push for security features in MSIE8; and weren't it for
Microsoft's response, Mozilla folks would likely not feel compelled to
keep up their in-house fuzzing efforts and security improvements in
FF3 and 3.5. Then add Chrome to the mix, and it gets even more
interesting...

/mz

PS. As for malware filtering - also, not a feature unique to any
particular browser these days - I do not quite see the relevance to
this discussion. Anti-malware checks improve the safety of casual
browsing for general public - and hence has a positive effect for the
health of the Internet as a whole - but they do not render any
particular browser less likely to have exploitable vulnerabilities.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Exploiting memory corruption vulnerabilities on Internet Explorer 8 [ In reply to ]
On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious <fred.vicious@gmail.com>wrote:

> Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no
> DEP/ASLR there... But as you said, so far there's no known "catch-all"
> technique against IE8.
> Along with other security features (
> http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx)
> this basicly means that IE8 is the most secure web browser nowadays?
>
> Depends. IMHO Non exists the more secure browser, anyway (not exists the
more secure software, never ) . But exists the more secure env on which the
browser run. There are some difference if i run firefox in windows xp and if
i run run firefox within a selinux guest account under Fedora.

> On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott <jared.demott@harris.com>wrote:
>
>> I'm not aware of any catch-all technique just for IE8, though there are
>> a few common ones like return oriented programming. Application
>> specific techniques are also common when third party extensions are
>> involved.
>>
>> --
>> __________________________________________
>> Jared D. DeMott
>> Principal Security Researcher
>>
>>
>
>
> --
> Best wishes,
> Freddie Vicious
> http://twitter.com/viciousf
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Re: Exploiting memory corruption vulnerabilities on Internet Explorer 8 [ In reply to ]
Yeah that's prrety obvious that there's one way or another to bypass DEP and
ASLR but if you chose not to share it and don't have anything useful to say,
it'll be better not to say anything.

On Thu, Oct 1, 2009 at 12:55 PM, Berend-Jan Wever
<berendjanwever@gmail.com>wrote:

> FYI: ASLR & DEP can be bypassed on x86, there's just nothing public at the
> moment.
>
> Cheers,
>
> SkyLined
>
> Berend-Jan Wever <berendjanwever@gmail.com>
> http://skypher.com/SkyLined
>
>
>
>
> On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious <fred.vicious@gmail.com>wrote:
>
>> Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no
>> DEP/ASLR there... But as you said, so far there's no known "catch-all"
>> technique against IE8.
>> Along with other security features (
>> http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx)
>> this basicly means that IE8 is the most secure web browser nowadays?
>>
>> On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott <jared.demott@harris.com>wrote:
>>
>>> I'm not aware of any catch-all technique just for IE8, though there are
>>> a few common ones like return oriented programming. Application
>>> specific techniques are also common when third party extensions are
>>> involved.
>>>
>>> --
>>> __________________________________________
>>> Jared D. DeMott
>>> Principal Security Researcher
>>>
>>>
>>
>>
>> --
>> Best wishes,
>> Freddie Vicious
>> http://twitter.com/viciousf
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>


--
Best wishes,
Freddie Vicious
http://twitter.com/viciousf