Protected Mode
. Internet Explorer 7 on Windows XP sp2
. Internet Explorer 7 on Windows XP sp3
. Internet Explorer 7 on Windows Vista sp1
. Internet Explorer 7 on Windows Vista sp2
. Internet Explorer 7 on Windows Server 2003 sp2 if
Protected Mode is OFF and not using Enhanced Security Configuration
. Internet Explorer 7 on Windows Server 2008 i
if Protected Mode is OFF and
not using Enhanced Security Configuration
. Internet Explorer 8 on Windows XP sp2
. Internet Explorer 8 on Windows XP sp3
http://www.akitasecurity.nl/advisory/AK20090402/003_dlm_launch_file_warning_dialog.png
Figure 3: Download Manager launch warning dialog
It should be noted that if Download Manager is started from Internet
Explorer on Windows Vista, an extra warning dialog is displayed when
Internet Explorer runs in Protected Mode. This warning is displayed as
Download Manager tries to start Manager.exe with the privileges of the
currently logged on user, thus elevating from the low integrity Internet
Explorer process.
http://www.akitasecurity.nl/advisory/AK20090402/004_dlm_open_outside_protected_mode.png
4. *Vulnerable packages*
. Internet Explorer 5.01 Service Pack 4
. Internet Explorer 6.0
. Internet Explorer 6.0 Service Pack 1
. Internet Explorer 7 (not exploitable with Protected mode on,
available on Vista)
4.1. *Vulnerable platforms*
ZDI-11-249: (Pwn2Own) Microsoft Internet Explorer Protected Mode Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-249
August 9, 2011
-- CVSS:
6.4, (AV:N/AC:L/Au:N/C:P/I:P/A:N)
-- Affected Vendors:
*Vulnerable Packages*
. Internet Explorer 5 under Windows 2000/2003/XP
. Internet Explorer 6 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows Vista (when protected mode is turned
off)
*Non-vulnerable Packages*
In order to exploit this vulnerability, an attacker must persuade a user
to render a malicious web page using Internet Explorer. This is usually
accomplished by providing a link to the malicious page in an e-mail or
instant message.
On Windows Vista, Internet Explorer 7 runs in "Protected Mode". Since
"Protected Mode" processes web pages with lower privileges than a
normal user, it lessens the impact of this vulnerability. However, it
does not prevent arbitrary code execution on the affected system.
IV. DETECTION
Microsoft has always had links to external applications. That isn't
new.
IE protected mode doesn't protect you as much as you assume. IE-PM
protects you from drive by downloads. If you download any program
manually it is executed in normal user mode (medium integrity) or in
elevated mode (high integrity) with admin rights if elevated. This is
the same for any program downloaded in IE and run by the user, or for a
Sidebar gadget. IE-PM protects you from the stuff the browser downloads
when you surf to a web site, but not from anything you intentionally
Microsoft has always had links to external applications. That isn't
new.
IE protected mode doesn't protect you as much as you assume. IE-PM
protects you from drive by downloads. If you download any program
manually it is executed in normal user mode (medium integrity) or in
elevated mode (high integrity) with admin rights if elevated. This is
the same for any program downloaded in IE and run by the user, or for a
Sidebar gadget. IE-PM protects you from the stuff the browser downloads
when you surf to a web site, but not from anything you intentionally
dialogs that users have to mechanically click through before they get to see
the dancing bunnies". There's no real security present that I can see, just a
lot of dialog boxes to click past. In fact the blog specifically mentions
things like:
Internet Explorer Protected Mode
Protected Mode is not applicable to gadgets as they are code present on the
local computer and interact with files and APIs on the local computer.
>PG> because it's moved the dancing
dialogs that users have to mechanically click through before they get to see
the dancing bunnies". There's no real security present that I can see, just a
lot of dialog boxes to click past. In fact the blog specifically mentions
things like:
Internet Explorer Protected Mode
Protected Mode is not applicable to gadgets as they are code present on the
local computer and interact with files and APIs on the local computer.
>PG> because it's moved the dancing
Exploitation of this vulnerability would allow an attacker to execute
arbitrary code in the context of the user running Internet Explorer. In
order to be successful, a targeted user must render a maliciously
crafted web page.
On Vista, Internet Explorer 7 runs in Protected Mode, which has less
privileges than a normal user. It somewhat mitigates the impact of this
vulnerability, but does not prevent arbitrary code execution.
IV. DETECTION
Once an attacker can inject arbitrary JS code within the context of an
allowed domain, unsafe methods can invoked to download and execute
arbitrary binaries.
A local privilege escalation flaw discovered in the Consona's Repair
Service can be used to bypass IE8 Protected Mode, thus gaining SYSTEM
privileges.
The XSS flaw leds to a complete system compromise.
Technical Details:
- Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis of
PatchGuard Version 3
Author: Skywing
- Exploitation Technology: Getting out of Jail: Escaping Internet
Explorer Protected Mode
Author: Skywing
- Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend
Author: David Maynor
a process into a Call-Gate (with DPL set to 3 and RPL to 0).
The paper also contains information about a possible LDT redirecting
into user-land memory.
The paper is Windows NT family (starting from Windows 2000 and XP) and
x86 protected mode specific.
The paper DOES NOT contain information about new or old
vulnerabilities. It only proposes a way to convert a potential
write-what-where vulnerability into code execution, in a stable
manner.
- Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis of
PatchGuard Version 3
Author: Skywing
- Exploitation Technology: Getting out of Jail: Escaping Internet
Explorer Protected Mode
Author: Skywing
- Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend
Author: David Maynor
Our advanced binary planting research goes on... and it's time to reveal some
interesting hacks, for instance how to exploit binary planting (or DLL hijacking, if
you prefer the less suitable term) to execute remote malicious code through Internet
Explorer 9 in protected mode on Windows 7 - without issuing any security warnings. Or
how to do the same in Internet Explorer 8 on Windows XP, only even more stealthy.
The crux is described in our blog post:
http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html or
In practice, those distinctions rarely hold up under scrutiny. Remember
"Guest User" vs "User" vs "Power User"? MS has greatly de-emphasized the
utility of boundaries between privileges them in the OS over time,
preferring instead to invent new ones that were more relevant to the
times. Witnesseth the recent discussions about the elevation token and
IE protected mode.
The best you can hope for is to maintain an effective boundary between
normal users and root/admin. But usually as soon as you install a few
off-the-shelf Windows or shareware apps, it's gone. Try this: install
your favorite "productivity" app in a non-default directory, e.g. C:\,
mode using iret. The iret instruction will restore the context required
to continue execution, such as code segment, instruction pointer, flags
and so on.
iret is a complex instruction whose pseudocode alone spans several pages
of the software developers manual. Interestingly, in protected mode it
is executed in two distinct stages, a pre-commit stage (before privilege
level is changed) and a post-commit stage (after privilege level is
changed). You can see the commit point in the pseudocode below (taken
from Intel manual, comment is ours)
|
