KAV TEST Part 3

Publié le par SSTA


CLIENT/SERVER SIDE ATTACKS and other tests:



Here we focus on attacks which  occur via client applications (browser for instance) and which may represent possible attack in case of intrusion.

NB. Most of these tests have been done during the summer of 2006, and new versions of IE and Firefox are not vulnerable to some of these flaws.


1) URL obfuscation: at http://www.retrosynth.com/misc//phishing.html : F1/F2

An interesting antiphishing free program is MyIDNWeshield, which provides protection against link manipulation:



NB. an interesting overview and comparison of anti-phishing solutions is available here.


2) Web application based attack and online Virtual keyboard keylogging


a) virtual keyboard keylogging (see also part 2 and spy tests): F1/F2

It's important to note that it's a real threat, and a speciality of Brazilian phishers.
Virtual keyboard is used by many banks to secure online logins against keyloggers: using one kind, and especially software, of authentication is not the panacea at all: it was fully demonstrated a few years ago.


More info about this subject here or here for instance.

Recently, RSA has released a solution called RSA Fraud Action AntiTrojans against this threat.
As good and improved is Internet Explorer, we highly suggest Firefox: with the number of extensions available (especially the developer section), Firefox can be very helpful for web applications analysis, and even for web application attack...
We can also mention for normal users: Sxipper and KeyScrambler addons.
But in all case, this is more the server side to provide secure services (Banks, Online shops) and the rule of server side to take care and to audit frequently web applications against possible attacks (also info here or there):







If there is many effective paid Web vulnerability scanner like Acunetix or WebInspect for instance,  free and open source solutions exist like Secubat, or ProxMon for the more recent: there's no excuse for server side.

Web applications are already a threat and malware vector (especially worms ).

A new generation of specialized softs have been designed against this kind of threat such as Norton Confidential (expensive, as usual with Symantec).
But here we do not play the game of the the security industry marketing (by our softs or be afraid), especially when these solutions do not provide 100% reliabilty...
In order to mitigate the risks, we can suggest a white list approach (HIPS), McAfee advisor, StopBadwareFinjan SecureBrowsing, to run the browser under a sandbox or virtual condom like VappWare or BufferZone), to run a text browser like Lynx under Sandboxie, to use an extension like NoScript...
Or to forget definitively java script...

But as usual, there's no perfect software solution...
Microsoft also take care of this new generation of threat with BrowserShield, but  MST projects are like Nessie (remember Strider GhostBuster): something which has never seen the sun...


The test is done with a demonstration tool which uses java script:











Each time we type something with the virtual keyboard, it is automatically recorded,  and this with no kind of alert from KAV proactive module and Web antivirus (AV are not armored against client/server attacks, they're mostly  designed to protect against local threats).




b) Ajax Worm (POC): F1/F2

NB. Here we just scan the script (a real life test requires a web site): since it is not included in the database, we can logically suppose that there's no way for the full protection to detect or prevent it.



Another study of "XSS Worm" here.

As the AV industry has not released the Ubiquity machine, we have here another example of Black list concept limit:



OWASP has already released a web scanner dedicated to Ajax (Sprajax).


NB. For those who have visited this page with java script enabled, their computer may be infected by a "blog worm" : as far as we know, this very dangerous worm is currently unknown by antivirus labS...




c) Ajax Sniffer test: F1/F2






d) stealing clip board data: F1/F2







In this example we have used a Prevert (french author famous for his inventory poetry) catalogue of russian culture and heroes, but it can be a chapter of a thesis, a love letter or anithing confidential.

e) Cross-Site Scripting attacks(also known as XSS): F1/F2

Scripts example found at http://hackers.org/xss.html

We have done several test online on a specic page designed to generate this kind of exploits:





As it was said on this article, XSS is more and more used by attackers: XSS worm and backdoor already exist:

Example (backdoor XSS):



Solutions exist to mitigate risks but the most easiest for normal users is for instance to use XSS Warnig firefox extension...but Security is a funny Disneyland cat and mouse game: any browser content can be an attack vector, extensions/plugin included...like XSS Warning...


3) Browsers attacks and crash tests



a) Firefox Dos Exploit

This exploit (by P4) is a remote code execution of Outlook via java script

A few info about it here:

-at the original POC: http://geocities.com/werterxyz/test2.html: F1/F2




-at http://securityview.org/test.html: F1/F2




b) Crash of Internet explorer:

-example 1: http://212.143.183.4/finjan/objects/MCRC/DosDemo.htm : F1/F2


-example 2: http://ccomb.free.fr/testIE.html: F1/F2



Kav warns only about DrWatson:



Even with specific rules, Kav can't prevent the browser's "crash".





Test also done in live (sending the link via Yahoo Messenger): we can see the result on the right:





c) pop up escalation:


-with IE: F1/F2




-With Outlook: F1/F2








d) Crash the computer via big size image: F1/F2



Here's the event:



More info about this "bug" here.

4) Backdooring PDF files: F1/F2

A few info on this well known site, and  here a filter realeased by OWASP against some PDF attacks.







5) Man in the Middle code injection: F1/F2

For this test, we have installed a fresh version of Kav witout the update (=no patch for the privilege escalation vulnerabilty).

The purpose here is to inject a shellcode based in an exploit (Kav flaw) in an executable that the target victim is downloading.
This can be done via a Man in the Middle (and then ARP spoofing) between the two host: victim's host and download server host.
The shellcode is injected directly on the fly, and does not change the downloaded executable; but once this one run, the shellcode is executed locally...
Interesting exploitation of flaw for a more effective and stealth intrusion.




6) Windows account and privileges protection


a) Gain administrator privileges: P1/P2

NB. This test is for illustration and simulation purpose only (old exploit).
A fully functional similar tool has been released in 2007, unknown from antivirus.







b) Accounts creation with AjouteUser (R) via CMD: F1/F2


Example 1: zidane1 account creation:













Example 2: EUGENE account creation:



As we see with, a simple command line displays account info:




And now we can logg with this account after typing the password (KASPERSKYTEST):



NB. Eugene Kaspersky could say thanks to the Perostroïka, but not to the proactive module which does not protect by default the account keys.


c) Remote creation of an Hidden account: F1/F2

In this example, we choose a simple RAT with a reg. editor function.

We juste create the "kareldjag" hidden account witha "0" DWord.







NB. This can be easily with any registry browser if the host is not well hardened, especially when the Remote Registry Service is running!

d) Shatter attack: F1/F2

A net user command displays the new account (hacker):



The new account is created and shown during the winlogon screen (no password required) and also in the control panel:









e) privilege escalation protection:


-with Privdropper: F1/F2




SeDebugPrivilege is often important in case of intrusion (hacker or malware): once an attacker has gain enough rights, he can disable specific privileges for many goals: to prevent the victim's from running rootkit detectors for instance.
And this is one of the weakness  of F-Secure Blacklight, from F-Secure:



This is also a sign of infection by nasty spywares like Look2Me.
More privileges, more possibilities to compromise more deeply the system.

f) running cmd.exe under SYSTEM privileges: F1/F2

Under administrator account (KARELDJAG), we'll launch the command line under (or with) System privileges.



Here's cmd.exe under admin. account shown by the task manager:



And here after the privileges escalation:



As it is shown by process explorer, the user for cmd.exe is SYSTEM (svchost.exe):





And now we have the highest level of privileges via the command line, and are able to compromise more deeply the security.

The same test on another computer:




CMD.exe under admin. privileges:







CMD.exe under System privileges:






And we have much more privileges now:



Running an application under system privilege is not difficult (already well documented) and just requires a minimum skill of Windows.
More over, many hack tools can do this in an easier way and without any particular knowledge like this one:




g) gaining full SYSTEM privileges and log as "SYSTEM account" : F1/F2

SYSTEM is not really considered as an account (the OS logs as...SYSTEM (!)).
In case of intrusion , this kind of local privilege escalation is "noisy" : the user/administrator should be warned by suspicious events: the desktop which disappears for 2 or 3 seconds for instance...

In our example, we switch from kereldjag account/administrator privileges to "SYSTEM account"/SYSTEM privileges without interactive login.

The next two images display the administrator account:






The task manager displays running services (SYSTEM) and applications/programs (kareldjag):




And after the local privilege escalation:




As it is shown above, all services and applications/programs processes like the task manager, screenshot utility (srip322.exe), radio utility (RadioFrSolo.exe), the firewall (KAVPF.exe) are running under SYSTEM privileges.
An example with explore.exe:





If we query about who is logged, it is the "user AUTHORITY NTSYSTEM " who is displayed as shown by the next image:



By this way, classical shatter attacks become very easy:





Any launched process via cmd will run under System privileges.

And we do not use User Switcher service mode via Winlogon screen: we're logged automatically as SYSTEM!





If we check our rights, we can see that we have the highest level of privileges:









And no need to hack the administrator passowrd: we can reset and change any password account, and make the machine ours.

If we try to get info about the "SYSTEM account" via cmd or third party utility, only "errors are displayed" :

With a net user command: "the user name is unaivalable"


With an administrator tool: "Geting User information failed!"




In fact we're logged as "SYSTEM" but the System does not recognise itself as an account.

NB. This test was done under a non hardened host/system.
It was done locally, and remotely via a RAT (a simple shell is required).
More services are running on a host, more this host is vulnerable to privileges escalation (svchost.exe was used in our example, but doing the same with other services is not totally impossible).

The first step for security (often forgotten by home users) is to use Windows as the first line defense by hardening the system: least privileges practise, disable any unnecessary and unused service, harden the registry etc...

Home users can find a few info here, especially the part 4 which includes exhaustive resources for rights and accounts management (the audit test is highly recomended).




1. There's a lot to read, and we suggest to take a coffee/tea break with Zidane.

On this blog, we can find various games and video in realtion to the "affair" (just click on the first, second and third link for flash games).


In this Youtube video, we can see DelVecchio vs Materrazzi, a kind of remake...

Materazzi will certainly never get the Golden Ball of the MVP , but it seems that he has a great actor's talent: this is not the Lee Strasberg method (Actors studio), but...the Commedia Dell Arte: so please, an Oscar for Materazzi!

French readers can found a dedicated blogs here and  here.

For english readers: here and there two sites in relation to the "affair", a site devoted to Zidane, and a funny blog section dedicated to Football (sorry Football is Football, and not soccer).
Here for our italians friends and nighboors, and "rendez vous" in September...

And for ladies and girls who don't like football at all,  euh...they can take a look at these funny cats, babies, monkeys .








KAV TEST PART 3 NEXT AND END



Publié dans KASPERSKY 6 TEST

Commenter cet article