Attack on the browser: the confrontation of armor and shell

    image

    In today's world, it’s hard to find someone using the Internet, but not installing additional extensions for their browser. Extensions like Flash are installed in the vast majority of users. But it was the appearance of such plugins that influenced the landscape change in modern exploit engineering. Now, user-side security cannot be controlled solely by browser developers. The security of each of the installed plugins is no less important, because attackers can use it to inject malicious code into the system. For example, the appearance of vulnerabilities in the products of the notorious Adobe company entails an increase in the number of exploits aimed specifically at these vulnerabilities.
    Moreover, the non-operational closure of these same vulnerabilities by Adobe gives attackers a sufficiently large time window for successful attacks. You don’t have to go far and a vivid example of this is CVE-2010-1297, when this hole was covered only on June 29 , and the vulnerability was announced on June 4. It turns out a window of more than three weeks for successful zero-day attacks. From the beginning of this year, we have noted a strong increase in the flow of exploits targeting Adobe products.
    The popularity of spoilers with exploits for Adobe and able to bypass DEP and ASLR is growing. The most interesting thing is that in some split-packs mechanisms began to appear automatically checking whether the site is blacklisted by popular reputation systems.

    image

    Cybercriminals use in their creation polymorphic exploit obfuscation mechanisms, which allows either for each visitor or at some time intervals to modify the exploit code without changing its functionality. Such functionality is necessary to counter signature detection and quite effectively knocks down primitive detection methods. Recently, anti-public sandbox and automated analysis tools have begun to appear, such as: Wepawet , Jsunpack and some well-known methods for automatically unpacking obfuscated JavaScript programs.
    They also catch traffic to a site with an exploitpack automatically, there can be either a direct redirect or an entire chain. Cybercriminals selling this kind of traffic are, for the most part, affiliates who own botnets from infected websites. Redirecting is usually done with a simple iframe injection.

    image

    In recent years, there has been a clear focus on client-side attacks using exploits. In principle, many different mechanisms have already been introduced to counter them at the level of operating systems. It is thanks to these mechanisms that the threshold of skill for the person developing the exploit has greatly increased. And now let's look (overview, of course :)) on those techniques that are used by cybercriminals in modern exploit construction.

    DEP and other ASLR

    Bypassing DEP has long ceased to be a problem and the first open publications on this topic began to appear several years ago. But still, over time, the situation was complicated by the advent of permanent DEP technology. The essence of this technology is that the process itself sets up DEP at startup by calling the SetProcessDEPPolicy () function . DEP cannot be turned off during execution because this raises the problem of calling NtSetInformationProcess () again , which is not possible. By default, in modern browsers (on XP SP3 and above), as we see, this mechanism is used, which complicates the lives of modern exploit developers. This cannot but please us as developers of security software.

    image

    But, despite the provided countermeasures, not all developers of mass software take their use equally seriously. Let's see how things are going in dynamics.

    image

    Despite the obvious progress compared to 2008, we nevertheless see that, for example, ASLR is used. And for Adobe products, there are workarounds, which is why the table has options for supporting security mechanisms with an asterisk. These data are from Secunia ’s recent “DEP / ASLR Neglected in Popular Programs” report . ASLR is a real problem for attackers only if it is used everywhere.
    Let's talk a little bit about the circumvention and effectiveness of the aforementioned protection technologies, which are now the most popular.

    Heap spraying

    Despite the obvious progress in the countermeasures on the part of the operating system, researchers in both white and black hats do not cease to look for methods to circumvent them. After all, the well-known methods of operation with rewriting the return and capture addresses of the SEH handler stopped working and new techniques were needed. One can rightfully consider Alexander Sotirov to be an evangelist of exploitation methods using JIT spraying , who was one of the first to discuss this topic in detail in public and talk about various exploitation methods using this technique.
    If you try to determine the JIT spraying attack technology in general, it will look like this:

    image

    And at the system level, something like this:

    image

    Below we provide a summary table of attack honey using this technique and ways to counter them:

    image

    Recently, when using JIT spraying, shell-code has often been found using reverse-oriented programming. In exploits for CVE-2010-1297, this technique is actively used, although the use of this technique entails the application of a multi-level architecture for shell code.

    ROP

    Return-oriented programming, or simply ROP, is primarily intended to provide an opportunity to bypass defense mechanisms such as non-executable memory segments. ROP is, of course, a new milestone in exploit engineering, but the prerequisites for its appearance have been noticed for a long time. An interesting diagram of the evolution of these methods was taken by us fromarticles "A gentle introduction to return-oriented programming" .

    image

    Using the ROP technique requires the researcher to have a sufficiently high level of knowledge and training, which increases the entry threshold for people who want to understand this. Debugging such a shellcode also takes a lot of time.
    Everything described above about the complexity of development does not mean that you can rejoice, and soon we will all fall into nirvana. No, this is not so; rather, it means that we are waiting for an interesting development of these techniques and, of course, the emergence of new ones.

    Also popular now: