IE Protected Mode

[dave <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So one thing we noticed when testing aurora_flash today on Windows 7 is
that, you can do this:

1. Own Windows 7 IE running as a normal user with Aurora_Flash
2. Run NTVDM exploit
3. Use Local/SYSTEM rights to do whatever you want.

Of course, step 2 won't work on a 64-bit Windows 7, and step 1 is not as
reliable as we'd like (the "aurora" part of "aurora_flash" can be a bit
tricky).

Nevertheless, it's a compelling demo when your customer says "But I'm on
Windows 7!". There's a tendency for "multi-layer defense" to coalesce
into one layer. I'm not sure what to call that, but it's pretty common.
Think "CLOUDBURST vs VMWare" and "Spender vs SELINUX" and all the other
similar protections that in many cases have no effect at all.

Another thing we're including in today's CANVAS release is our test
framework, so if you want you can automate testing against lots of VM's.
Basically, it starts them up, reverts them to a snapshot, sets up a
bunch of stuff to run the exploits, and then sees if they work, and then
shuts them down. You'd think with a heap overflow run like this that it
would work either 100% of the time or 0%, but the reality is, these
things can be affected by quantum tunnelling or something, and you get
them working row times in a row, and then failing ten times in a row.

- -dave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktxoEkACgkQtehAhL0gheo8MACdEGQ/vOGpt36PKJJz6nA8xmxP
vF8An1XeRtPZm9ShcWO0cjo+LhgUmK/C
=YMWP
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave