Differences between revisions 1 and 3 (spanning 2 versions)
Revision 1 as of 2010-02-02 18:26:50
Size: 84
Editor: anderson-camtasia
Comment:
Revision 3 as of 2010-04-26 01:18:04
Size: 4854
Editor: c-68-53-233-3
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
== Internet Client Vulnerabilities ==

* Of the numerous techniques to exploit internet end users
  * Software exploits are the most the despicable
  * This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim.

== ActiveX ==

* Microsoft ActiveX
  * Microsoft answer to Java
  * First real attempt a a model for portable, remotely consumable software applications
  * ActiveX applications or controls
  * Can be written to perform specific functions
  * Such as displaying a movie or sound file
  * Can be embedded in a web page to provide this functionality
   * Example
   * Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs
   * Usually the .ocx file extension
  
  * When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls)
  * First checks user’s local system Registry to find to find out whether that component is available on the user’s machine
  * If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code.
  * If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag.
  * Optionally, it verifies the origin of the code using Authenticode and then executes that code
   * Controls are downloaded to the location specified by the Registry string value
  * (REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache
  * Default in XP is %systemroot%\Downloaded Program Files

=== ActiveX Security Model ===
* Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine.
* The thing that stands in the way is the Microsoft’s Authentication paradigm.
* Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party)
 * Example of how ActiveX could be used to for malicious activity
 * 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management).
 * Called Internet Exploder
 * Safe for Scripting
 * Was the next significant security challenge
 * The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control
 * Scriptlet.typelib can create, edit, and overwrite files on the hard disk.
 * Eyedog has the ability to query the Registry and gather machine characteristics

=== ActiveX Abuse Countermeasures ===

* From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system.
* Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones.

== Java ==

* Created by Sun Micro Systems
* Was created primarily to enable portable, remotely consumable software applications.
* Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows.
 * Vulnerabilities Found
 * November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets
 * The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform.

=== Java Countermeasures ===

* Restrict Java trough the use of Microsoft Internet Explorer security zones.
* Non-IE consult documentation on how to restrict.

== JavaScript and Active Scripting ==

* Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape.
* Blend of Perl- like ease-of-use with c/c++ like power
 * Made it popular
 * Also makes it attractive to hackers
 * Makes it easy to fool the user into entering sensitive information
 *Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting
 * Security issues not caused by technology, but by the abuse of power and accessibility they give you.

=== JavaScript Countermeasures ===

*Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones.
 

Internet Client Vulnerabilities

* Of the numerous techniques to exploit internet end users

  • Software exploits are the most the despicable
  • This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim.

ActiveX

* Microsoft ActiveX

  • Microsoft answer to Java
  • First real attempt a a model for portable, remotely consumable software applications
  • ActiveX applications or controls
  • Can be written to perform specific functions
  • Such as displaying a movie or sound file
  • Can be embedded in a web page to provide this functionality
    • Example
    • Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs
    • Usually the .ocx file extension
  • When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls)
  • First checks user’s local system Registry to find to find out whether that component is available on the user’s machine
  • If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code.

  • If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag.

  • Optionally, it verifies the origin of the code using Authenticode and then executes that code
    • Controls are downloaded to the location specified by the Registry string value

  • (REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache

  • Default in XP is %systemroot%\Downloaded Program Files

ActiveX Security Model

* Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine. * The thing that stands in the way is the Microsoft’s Authentication paradigm. * Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party)

  • Example of how ActiveX could be used to for malicious activity
  • 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management).
  • Called Internet Exploder
  • Safe for Scripting
  • Was the next significant security challenge
  • The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control
  • Scriptlet.typelib can create, edit, and overwrite files on the hard disk.
  • Eyedog has the ability to query the Registry and gather machine characteristics

ActiveX Abuse Countermeasures

* From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system. * Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones.

Java

* Created by Sun Micro Systems * Was created primarily to enable portable, remotely consumable software applications. * Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows.

  • Vulnerabilities Found
  • November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets
  • The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform.

Java Countermeasures

* Restrict Java trough the use of Microsoft Internet Explorer security zones. * Non-IE consult documentation on how to restrict.

JavaScript and Active Scripting

* Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape. * Blend of Perl- like ease-of-use with c/c++ like power

  • Made it popular
  • Also makes it attractive to hackers
  • Makes it easy to fool the user into entering sensitive information

  • Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting

  • Security issues not caused by technology, but by the abuse of power and accessibility they give you.

JavaScript Countermeasures

*Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones.

Back to Cptr427Winter2010

HackingExposedChapter12 (last edited 2010-04-26 01:40:33 by c-68-53-233-3)