/var/log/messages
This section contains the latest news, announcements and thoughts from the MWR InfoSecurity team.
Full TextAurora and Web Browser Security
Jan 25, 2010
Germany's BSI (Federal Office for Information Security) recently warned web users not to use Microsoft Internet Explorer. The BSI advised users to switch to an alternative browser in the mean time until a patch was made available. Shortly after this release France's Certa agency also issued a similar warning to users.
What is the implication of these statements? It would seem like an 0day for an "alternative browser" has just substantially increased in value.
But even though these alternate browsers might be safer to use given the current threat, are they actually more secure? To reach a conclusion about whether this is actually the case it is necessary to look at the actual risk of successful exploitation, assuming such 0day exists somewhere. This assumes that entities or groups with sophisticated skills who are capable of writing exploits while sleeping and by-passing DEP at breakfast also exist (which is a fair assumption).
On a current Windows 7 system with fully updated browsers the following situation currently exists: -
| DEP/ASLR in browsers on Win 7 | |||||
| IE 8.0.7600.16385 | Firefox 3.6 | Opera 10.10 | Safari 4.0.4 | Chrome 3.0.195.38 | |
| DEP | Enabled | Enabled | Enabled | Enabled | Enabled |
| ASLR | No DLL without ASLR in default process |
Not properly used e.g. nspr4.dll |
Not properly used e.g. opera.exe |
Not properly used e.g. dnssd.dll |
Not properly used e.g. icudt38.dll |
We tested the default up-to-date installation of each browser in the table above on the Windows 7 Operating System. It should be noted that these results will vary substantially on different operating system versions. The actual ease of exploitation for these targets depends on a number of factors, for example, sandboxing techniques such as the Google Chrome Sandbox or IE 8's protected mode. Also, other weaknesses may allow DEP/ASLR to be bypassed such as the now patched Dowd/Sotirov technique. For the purposes of this assessment a measurement about the effectiveness of ASLR was obtained by observing the addresses of executable modules loaded in the default process.
Aside from the effort needed to produce a reliable exploit, another important factor in the risk exposed by the use of a particular browser is its market share. Internet Explorer is still is in the (un)fortunate situation of being the market leader, which makes it a juicy target for the bad guys.
In order to make web browsing safer, effective OS exploitation mitigations techniques and a fully updated browser are essential. Make sure you apply the Internet Explorer patch which was released on Thursday.
Solaris Debugging and Bug Hunting at ShmooCon 2010
Jan 18, 2010
Matt Hillman will be presenting the fruits of his Solaris research thus far at ShmooCon in Washington DC on the 6th of February. The abstract for his talk is shown below:
"Lately there has been a lot of excitement over the use of DTrace for bug hunting and reverse engineering purposes on platforms that support it such as Solaris. But there are a plethora of advanced tools and techniques out there for other more common x86 based platforms, so does DTrace really add that much? In this talk that question is examined by introducing RSol, a Ruby based debugging component for Solaris in a similar vein to PyDebug for Windows. RSol allows powerful bug hunting tools to be coded quickly, and using this the pros and cons are investigated of using DTrace vs more traditional debugging techniques to achieve different goals in different circumstances. The ultimate plan is for RSol to become a suite allowing debugging and DTrace based techniques to be used together in a complimentary way."
If you can't make it to DC to see the talk, it will also be streamed live (along with the rest of ShmooCon) via uStream. This is the first year ShmooCon have done this, so lets hope it goes without a hitch!
Google Forensics (...beta)
Jan 18, 2010
Author: Ben Downton
File carving is a technique that can be used by forensic investigators to recover files from a disk. Forensic software can search through the raw data against a set of known file header signatures and extract items based on content rather than metadata.
This is particularly useful when examining the free space on a disk, as files that may no longer exist within the file system can be recovered. This can be particularly useful if the file system has changed, such as when a Windows system has been rebuilt as a Linux box.
It will not always be possible to recover the full path or original creation dates by file carving, as only the data contained within the file might remain. But the data itself can sometimes contain more information than timestamps could provide...
On the surface, the extraction of a Google logo from temporary internet files might not appear to be of any real relevance to a forensic examination. But what if the Google logo was of the Cookie Monster? This logo (shown below) was created to commemorate the 40th anniversary of Sesame Street, and replaced the standard Google logo on the site in selected countries on the 5th of November 2009. Similarly, forensic examiners viewing a pumpkin instead of the 'e' of Google can be fairly confident that the site was visited on the 31st of October 2009. A plasma covered logo from Nikola Tesla's birthday indicates activity on the 10th of July.
Whilst this technique cannot, of course, provide indisputable evidence, it demonstrates how the content of web based files can be used to build a more complete picture of how and when a machine has been used. It could even allow other evidence to be collected that may aid a case, particularly when recovering data from file or volume slack.
Demo: Adobe Reader Exploit on Vista and 7
Jan 14, 2010
In response to the recent vulnerability in Adobe Reader MWR InfoSecurity conducted some additional research in this area. We were able to confirm that the issue, otherwise referred to as Adobe Reader "media.newPlayer" vulnerability, is also exploitable on Vista and Windows 7 with ASLR and DEP enabled. This can be observed in the following flash demo: -
The research enabled an exploit to be crafted that works very reliably across multiple versions of Adobe Reader. Given these facts MWR InfoSecurity highly recommend that everyone running the software installs the appropriate patch for the issue using the adobe update software. In addition it is recommended that JavaScript support within Adobe Reader is also disabled.
Presentation: DeepSec 2009 - Weapons of Mass Pwnage: Attacking Deployment Solutions
Dec 03, 2009
Luke Jennings presented at DeepSec '09 in Vienna, Austria regarding the security of deployment solutions and some of the recent vulnerabilities he discovered in Symantec's Altiris Deployment Solution. The slides for this presentation are available from: