mailing list archives
Client Side Exploits, a lot of Office bugs and Vista
From: "Halvar Flake" <halvar () gmx de>
Date: Wed, 22 Nov 2006 00:40:32 +0100
I have ranted before about careless use of 0day by seemingly chinese
attackers, and I think I have finally understood why someone would use good
and nice bugs in such a careless manner:
The bugs are going to expire soon. Or to continue using Dave's and my
terminology: The fish are starting to smell.
ASLR is entering the mainstream with Vista, and while it won't stop any
moderately-skilled-but-determined attacker from compromising a server, it
will make client side exploits of MSOffice file format parsing bugs a lot
Client-side bugs suffer from a range of difficulties:
1. They are inherently one-shot. You send a bad file, and while the user
might try to open it multiple times, there is no way the attacker can try
different values for anything in order to get control.
2. There can not be much pre-attack reconnaissance. Fingerprinting server
versions is usually not terribly difficult (if time consuming), and usually
one can narrow down the exact version (and most of the times the patch
level) of a target before actually shooting valuable 0day down the wire.
With client side bugs, it is a lot more difficult to know the exact version
of a piece of software running on the other side - one probably has to get
access to at least one document created by the target to get any data at
all, and even this will usually be a rough guesstimate.
As a result of this, client-side bugs in MSOffice are approaching their
expiration date. Not quickly, as most customers will not switch to Vista
immediately, but they are showing the first brown spots, and will at some
point start to smell.
So you're in a situation where you're sitting on heaps of 0day in MSOffice,
which, contrary to Vista, was not the biggest (private sector) pentest ever
(This sentence contains two inside jokes, and I hope that those who
understand them aren't mad at me :-). What do you do with those that are
going to be useless under ASLR ? Well, damn, just fire them somewhere, with
some really silly phone-home-bots inside. If they bring back information,
fine, if not, you have not actually lost much. The phone-home bots are cheap
to develop (in contrast to a decent rootkit) and look amateurish enough as
to not provoke your ambassador being yelled at.
If you are really lucky, you might actually get your opponent to devote time
and resources to countermeasures against MS Office bugs, in the hope they
don't realize that work will be taken care of elsewhere. In the meantime,
you hone your skills in defeating ASLR through
out-of-defined-memory-read-bugs (see some blog post in the next few days).
On a side note, I am terribly happy today. I have had more good luck this
week than I deserve.
Dailydave mailing list
Dailydave () lists immunitysec com
- Client Side Exploits, a lot of Office bugs and Vista Halvar Flake (Nov 22)