Search the Community

When Microsoft introduced use-after-free mitigations into Internet Explorer last summer, certain classes of exploits were closed off, and researchers and black hats were left to chase new ways to corrupt memory inside the browser. A team of experts from HP’s Zero Day Initiative were among those who noticed that once-reliable exploits were no longer behaving as expected, and traced it back to a number of mitigations silently introduced in July into IE. By October, researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had developed attacks against two mitigations, Isolated Heap and MemoryProtection, and today announced they’d been awarded $125,000 from the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense. A chunk of that total, $25,000, was awarded separately for a submission suggesting a defense against the technique they submitted. The researchers said they will donate the full bounty to Texas A&M University, Concordia University, and Khan Academy, three institutions that sponsor strong STEM (science, technology, engineering and mathematics) programs. “We were very excited when we heard the results from Microsoft,” Gorenc, ZDI lead researcher, said. “We put a lot of time and effort into that research. We’re glad to hear Microsoft got good data out of it.” Gorenc said Microsoft has not patched the issues identified in the HP ZDI research, and as a result, Gorenc said ZDI will not disclose details yet. He did tell Threatpost that part of the attack includes using MemoryProtect as an oracle to bypass Address Space Layout Randomization (ASLR). “We use one mitigation to defeat another,” he said. “Stuff like this has been done in the past, but what’s interesting about this one is that these mitigations were designed to make use-after-free harder on the attacker, but what we’ve done is made it defeat another mitigation that IE relies on; it weakens it in that perspective. It was interesting to see one used against another.” Use-after-free vulnerabilities have overtaken buffer overflows as the hot new memory-corruption vulnerability. They happen when memory allocated to a pointer has been freed, allowing attackers to use that pointer against another area in memory where malicious code has been inserted and will be executed. Microsoft, for its part, has invested money and time into building mitigations against memory-related attacks, not only with the inclusion of mitigations in Internet Explorer, but also through its Enhanced Mitigation Experience Toolkit (EMET). For the most part, bypasses of and attacks against mitigations have largely been confined to researchers and academics, but some high-profile targeted attacks that have been outed do take into consideration the presence of these mitigations. Operation Snowman, for example, an APT operation against military and government targets, scanned for the presence of EMET and would not execute if the tool was detected. Internet Explorer has been plagued by memory corruption bugs forever it seems, with Microsoft releasing almost monthly cumulative updates for the browser which is constantly being used in targeted attacks and has been easy pickings for hackers. “The attack surface is valuable and has to exist,” Gorenc said of IE and use-after-free bugs. “It’s an attack surface where with slight manipulations, you can gain code execution on the browser.” ZDI, Gorenc said, has spent the majority of its money on the use-after-free attack surface; ZDI is a vulnerability program that rewards researchers who disclose vulnerabilities through its process. The bugs are shared with HP customers first and then with the affected vendors. ZDI said it has spent $12 million dollars over the past nine years buying vulnerabilities. Gorenc’s colleagues Zuckerbraun and Hariri were external contributors before joining ZDI full time; both spent a lot of time on IE and use-after-free submissions, HP said. For these attacks, Zuckerbraun reverse engineered MemProtect, studying how it stymied use-after-free vulnerabilities. Hariri focused on bypassing Isolated Heap. Together with Gorenc’s work on sandbox bypasses, the researchers soon had enough research to share with Microsoft. The reward, meanwhile, will be donated to the three education institutions, each of which have personal meaning to the respective researchers and their focus on STEM. “HP Security Research donates to organizations that have a strong STEM emphasis. We decided we would select organizations and charities to receive the money we won that support that emphasis,” Gorenc said. “We look at it as a way to give back. Hopefully our research has made our environment better, hardened IE, and helps fund a strong engineering organization.” Source

Description: Founder, NovaInfosecPortal.com Salvador Grec has over 16 years experience, undergraduate and graduate degrees in Electrical Engineering, and a really well known security certification. Even though his training was in Electrical Engineering, Sal has always been more of a Computer Science person at heart going back to his VIC-20, Commodore 64, and high school computer club days. After doing the IT grind for 5 years, he discovered his love of infosec and has been pursuing this career ever since. Currently, he spends his days doing cyber security paperwork drills in building and maintaining multi-billion dollar government systems. At night he runs a local infosec website and tries to get some hands-on skillz. Title: PHP Website Security, Attack Analysis, & Mitigations PHP is a very powerful language for easily developing web applications however this convenience sometimes comes at the cost of security. Issues can arise from everything from language vulnerabilities and weak default settings to insecure coding practices and misconfigurations. This presentation plans to address many of these concerns by providing valuable lessons in the security of, attacks against, and management of PHP in your environment. The talk begins with an overview of PHP security, including it’s known issues and corresponding security enhancements the maintainers have incorporated over time. Beginning with a general discussion of PHPIDS and how it can be used as an event tracker, the presentation next provides a peak into some of the more interesting attacks against a security website as well as overall trends from two years in deployment. The talk closes with a strategy for analyzing the risks in your PHP environment and applying corresponding PHP and platform/network mitigations to minimize your attack surface. http://rvasec.com/slides/2012/8_grec_php_insecurity_rvasec_2012.pptx Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Sources: Php Website Security, Attack Analysis, And Mitigations