Client Side Exploits, a lot of Office bugs and Vista

["Halvar Flake" <halvar () gmx de>]

Hey all,

I have ranted before about careless use of 0day by seemingly chinese 
attackers, and I think I have finally understood why someone would use good 
and nice bugs in such a careless manner:

The bugs are going to expire soon. Or to continue using Dave's and my 
terminology: The fish are starting to smell.

ASLR is entering the mainstream with Vista, and while it won't stop any 
moderately-skilled-but-determined attacker from compromising a server, it 
will make client side exploits of MSOffice file format parsing bugs a lot 
harder.

Client-side bugs suffer from a range of difficulties:

1. They are inherently one-shot. You send a bad file, and while the user 
might try to open it multiple times, there is no way the attacker can try 
different values for anything in order to get control.

2. There can not be much pre-attack reconnaissance. Fingerprinting server 
versions is usually not terribly difficult (if time consuming), and usually 
one can narrow down the exact version (and most of the times the patch 
level) of a target before actually shooting valuable 0day down the wire. 
With client side bugs, it is a lot more difficult to know the exact version 
of a piece of software running on the other side - one probably has to get 
access to at least one document created by the target to get any data at 
all, and even this will usually be a rough guesstimate.

As a result of this, client-side bugs in MSOffice are approaching their 
expiration date. Not quickly, as most customers will not switch to Vista 
immediately, but they are showing the first brown spots, and will at some 
point start to smell.

So you're in a situation where you're sitting on heaps of 0day in MSOffice, 
which, contrary to Vista, was not the biggest (private sector) pentest ever 
(This sentence contains two inside jokes, and I hope that those who 
understand them aren't mad at me :-). What do you do with those that are 
going to be useless under ASLR ? Well, damn, just fire them somewhere, with 
some really silly phone-home-bots inside. If they bring back information, 
fine, if not, you have not actually lost much. The phone-home bots are cheap 
to develop (in contrast to a decent rootkit) and look amateurish enough as 
to not provoke your ambassador being yelled at.
If you are really lucky, you might actually get your opponent to devote time 
and resources to countermeasures against MS Office bugs, in the hope they 
don't realize that work will be taken care of elsewhere. In the meantime, 
you hone your skills in defeating ASLR through 
out-of-defined-memory-read-bugs (see some blog post in the next few days).

On a side note, I am terribly happy today. I have had more good luck this 
week than I deserve.

Cheers,
Halvar 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave