Dailydave mailing list archives
IE Protected Mode
From: dave <dave () immunityinc com>
Date: Tue, 09 Feb 2010 12:50:01 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So one thing we noticed when testing aurora_flash today on Windows 7 is that, you can do this: 1. Own Windows 7 IE running as a normal user with Aurora_Flash 2. Run NTVDM exploit 3. Use Local/SYSTEM rights to do whatever you want. Of course, step 2 won't work on a 64-bit Windows 7, and step 1 is not as reliable as we'd like (the "aurora" part of "aurora_flash" can be a bit tricky). Nevertheless, it's a compelling demo when your customer says "But I'm on Windows 7!". There's a tendency for "multi-layer defense" to coalesce into one layer. I'm not sure what to call that, but it's pretty common. Think "CLOUDBURST vs VMWare" and "Spender vs SELINUX" and all the other similar protections that in many cases have no effect at all. Another thing we're including in today's CANVAS release is our test framework, so if you want you can automate testing against lots of VM's. Basically, it starts them up, reverts them to a snapshot, sets up a bunch of stuff to run the exploits, and then sees if they work, and then shuts them down. You'd think with a heap overflow run like this that it would work either 100% of the time or 0%, but the reality is, these things can be affected by quantum tunnelling or something, and you get them working row times in a row, and then failing ten times in a row. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAktxoEkACgkQtehAhL0gheo8MACdEGQ/vOGpt36PKJJz6nA8xmxP vF8An1XeRtPZm9ShcWO0cjo+LhgUmK/C =YMWP -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- IE Protected Mode dave (Feb 09)