> Did you read the Reg article? It has nothing to do with the definition of a > "security boundary." It's not about that at all. It's about a title tease > of "bypassing protected mode" with associated inaccurate content when the > whole thing could be summarized with "Protected Mode is not enabled by > default in the Intranet zone." The "boundary" conversation, while > interesting, is irrelevant here. > > I know times are tough and click-throughs on ads need to be maximized, but I > don't think misrepresentation of technical content is appropriate. I can > understand why the Reg would write the article, but I asked Guninski if the > reason he posted it was because he considered Protected Mode being disabled > by default in the Intranet zone some sort of security issue.
Read the actual research. === One vector is through name squatting attacks in the user’s “BaseNamedObjects” (BNO) kernel object namespace. In this attack, an object with a fixed name can be created which is then opened by an application that trusts the object not to be malicious by virtue of it existing in the local namespace (which was previously a reasonable assumption). This issue has been given as an example of why Protected Mode is not a security boundary by Microsoft. Another vector is through leaked or duplicated handles. Access control decisions are made at the point that an object is opened, so existing handles may provide access to resources that are only accessible to more privileged contexts if they are transferred between processes. Handles in low integrity processes which have write access rights to higher integrity objects can be considered privileged. It was through this vector that Skywing escaped from Protected Mode using a leaked handle. The last vector is through objects which are deliberately shared between low integrity processes and higher integrity processes. This includes the Window Station kernel object which is shared between all processes within the same interactive logon session. With full access to the Window Station, low integrity processes also have access to the Global Atom Table, Window Station properties, the user’s clipboard and the “\Default” Desktop object. Such objects can be detected through a tool written as part of this research that locates objects open in low and higher integrity processes; to determine if two handles refer to the same object, the kernel mode pointers to the object’s data structure are compared. The Global Atom Table is used to store both integers and strings which are each indexed by an integer. A simple fuzzer was created to fuzz this table, which only caused a null pointer dereference in “Process Explorer” and corruption of Internet Explorer UI elements. Dynamic Data Exchange (DDE) inter-process communication occurs through the Global Atom Table and this may be subject to more interesting attacks via malicious atom table manipulation.28 Internet Explorer also uses the Global Atom Table heavily, but it would seem mostly for User Interface related functionality. === _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
