Attack on the browser: confrontation of armor and shell

In the modern world it is difficult to find a person using the Internet, but not installing additional extensions for his browser. Extensions like Flash are installed by the vast majority of users. But it was the emergence of such plug-ins that influenced the landscape change in modern exploit engineering. Now, user-side security cannot be controlled solely by browser developers. No less important is the security of each of the installed plugins, because attackers can use it to inject malicious code into the system. For example, the appearance of vulnerabilities in the products of the notorious Adobe company entails an increase in the number of exploits aimed specifically at these vulnerabilities.

Moreover, the inoperative closure of these very vulnerabilities by Adobe gives attackers a sufficiently large time window for successful attacks. There is no need to go far, and a vivid example of this is CVE-2010-1297, when this hole was covered only on June 29 , and the vulnerability was made public on June 4. It turns out the window for more than three weeks for successful zero-day attacks. From the beginning of this year, we have noted a strong increase in the flow of exploits targeting Adobe products.

The popularity of exploit for Adobe and those able to bypass DEP and ASLR is greatly increasing. The most interesting thing is that mechanisms of automatic checking of the site’s blacklisting of popular reputation systems began to appear in some of the hotpacks.





')

Cybercriminals use in their creation the polymorphic obfuscation mechanisms of the exploit, which allows either for each visitor or at some time intervals to modify the exploit code without changing its functionality. Such functionality is necessary to counter signature-based detection and rather effectively knocks down primitive detection methods. Recently, a functional has appeared on countering public sandboxes and automatic analysis tools, such as: Wepawet , Jsunpack, and some well-known methods of automatic unpacking of obfuscated JavaScript programs.

They drive traffic to the site with the exploit pack also automatically, there can be both a direct redirect and a whole chain. Cybercriminals selling this kind of traffic are, for the most part, affiliate programs that own a botnet from infected websites. The redirect is usually performed using a simple iframe injection.







In recent years, there has been a clear focus on client-side attacks using exploits. In principle, many different mechanisms have already been introduced to counter them at the operating system level. It is thanks to these mechanisms that the threshold for mastery for the person developing the exploit has greatly increased. And now let's look (at a glance, of course :)) on those techniques that are used by attackers in modern exploit engineering.



DEP and other ASLR



Bypassing DEP has long ceased to be a problem, and on this topic the first open publications began to appear several years ago. Nevertheless, over time, the situation was complicated by the emergence of technology permanent DEP. The essence of this technology lies in the fact that the process at startup itself sets its own DEP by calling the function SetProcessDEPPolicy () . DEP cannot be turned off during execution, since This raises the problem of calling NtSetInformationProcess () , which is impossible. By default, in modern browsers (on XP SP3 and above), as we see, this mechanism is used, which complicates the lives of modern developers of exploits. This is good news for us as developers of security software.







But, in spite of the provided countermeasure mechanisms, not all mass software developers take them equally seriously. Let's see how things are in dynamics.







Despite the obvious progress compared with 2008, we still see that, for example, ASLR is used. And for Adobe products, there are bypass mechanisms, which is why the options for supporting defense mechanisms with an asterisk stand with the table. This data is taken from Secunia’s recent “DEP / ASLR Neglected in Popular Programs” report. ASLR is a real problem for intruders only if it is used everywhere.

Now let's talk a little about the workarounds and effectiveness of the above protection technologies, which are now the most popular.



Heap spraying



Despite the obvious progress in the mechanisms of opposition from the operating system, researchers in both white and black hats do not cease to look for ways to circumvent them. After all, the well-known methods of operation with overwriting the return address and the capture of the SEH handler stopped working and new equipment was needed. Aleksandr Sotirov can rightly be considered an evangelist of exploitation methods with the help of JIT spraying, who was one of the first to discuss this topic in detail and talk about various methods of exploitation using this technique.

If you try to identify the technology of attack JIT spraying in general, it will look like this:







And at the system level like this:







Below we provide a summary table of attacks using this technique and ways to counter them:







Recently, when using JIT spraying, shell-code using return-oriented programming is often encountered. In the exploits for CVE-2010-1297, this technique is actively used, although the use of this technique entails the application of a multi-level architecture for the shell code.



ROP



Return-oriented programming (ROP) or simply ROP is primarily aimed at enabling circumvention of protective mechanisms, such as non-executable memory segments. ROP is, of course, a new milestone in exploit engineering, but the prerequisites for its appearance have been noticed long ago. An interesting scheme of the evolution of these methods was taken from the article “A gentle introduction to return-oriented programming” .







Using the ROP technique requires the researcher to have a sufficiently high level of knowledge and training, which increases the entry threshold for people who want to understand this. Debugging such a shellcode also takes a lot of time.

Everything described above about the complexity of development does not mean that we can rejoice, and soon we will all fall into nirvana. No, it is not, rather, it means that further we will have an interesting development of these techniques and, of course, the emergence of new ones.