Browser Exploitation Expanded – NoScript, Sandboxie

So I got a message asking me to expand on my previous post on browser exploitation. The user wanted to know about how security software such as NoScript and Sandboxie would deal with a browser exploit. I’m going to just go through each one on their own and explain what an attacker would be dealing with in each case.

The scenario is that you’re running Firefox with NoScript and Firefox with Sandboxie (separately, for simplicity) and you’ve visited a malicious website where the attacker controls the entire page of content. The attackers goal is to exploit the browser and monetize the system.

NoScript

NoScript works in a few ways. For the purposes of this post I’ll be focusing on the scripting whitelist aspect of it, as things like HSTS/XSS won’t make a difference in our scenario.

As an attacker I’m incredibly limited by NoScript. Most exploits are going to be in the Javascript renderer or through some plugin. With NoScript I have none of that attack surface. Instead I have to resort to exploiting some other component, like a font renderer, or find a flaw in NoScript that will allow a bypass.

This limitation is significant. I can’t even start my attack unless it’s a very specific (and less common) type. So NoScript is incredibly effective here.

If, however, I trick the user into whitelisting the site (or I have hacked an already whitelisted site) my options are much better. Now I can run Javascript, and now my exploit should work just about perfectly, as long as it doesn’t rely on XSS/CSRF.

On a whitelisted site the user is partially protected, specifically against XSS/CSRF attacks, but if I control the entire site and it is whitelisted I have enough power to exploit the browser as if it weren’t there.

Sandboxie

Sandboxie is a program designed to create a copy-on-write sandbox for programs. It emulates system services and attempts to isolate the browser as best it can. As an attacker Sandboxie doesn’t come into play until I’ve actually taken over the browser.

So, I get you to click a website, I break into your browser (see other post on browser exploitation), and now I’m in a somewhat confined environment. Anything on the system is readable by default, giving me a massive amount of valuable information about the system, like what programs are installed, security policies, personal documents, passwords, databases, etc. Post exploitation becomes much easier when read access is granted so gratuitously, making later steps much easier.

Is an attacker I can probably already make serious money off of this user. I have their browser info, potentially passwords or hashes, I can get personal documents, I can keylog, I can read work documents, etc. But what if I want to get persistence? What if I want this to be part of my new botnet? I have to get out of the sandbox.

Now I have to get out of the sandbox if I want enough rights to hook this machine up to my botnet. How do I go about doing this? Well, thanks to the read access I’ve been given I have a ton of info on the system. This makes local exploitation much easier. I can exploit the kernel in the sandbox (reducing kernel attack surface on Windows is ridiculously difficult read: not a logical approach) and break right out, once I’m kernel level I simply unhook Sandboxie and I own the computer, I can do whatever I want.

Depending on the sandbox configuration things can be much much easier or potentially more difficult (I see more weak policies than strong policies in my experience).

Conclusion

And there you have it. Two security programs that a few people have been asking me to discuss for some time. I’m avoiding talking about the programs themselves and their own attack surface, but if you read my posts you’ll be able to extrapolate.

I would say that NoScript adds a very significant layer of security, and should be on every Firefox users browser. Sandboxie is a good choice if you’re willing to set up powerful policies and start denying read access – a default install is OK though.

Do Not Track On By Default In IE10

Internet Explorer 10 is the browser shipping with Windows 8 (currently in Release Preview) and it’s got an interesting feature. Do Not Track is a new would-be standard for telling advertisers not to track you online. Microsoft has stated that it will be enabled DNT for IE10 by default.

The Importance Of Privacy

Every single user should have complete and final control over their data. No one should be able to track you if you don’t want to be tracked – not the government and not corporations. I hold this to be fundamentally true.

Do Not Track does not actually stop anyone from tracking you. It “asks nicely” for them to stop tracking you and they have no legal obligation to care. Still, as DNT is incorporated into modern browsers it will hopefully become the standard and it could be enforced both by browsers (blacklisting ads that don’t comply) and the law.

The Big Problem

I’m new to blogging, and while I don’t own this domain or use Google Analytics I can see a lot of information. I see where people come from (the majority of users who visit this blog are from Google), which articles are popular, which tags are popular etc. If I were so inclined it would be very easy to make my blog more targeted to take advantage of the information provided to me. Even with a few days of information I can see a ton about how to increase my blogs popularity.

The same is true for advertisers. This tracking isn’t just about being creepy – it really does help. If I’m getting ads for makeup products I’m not going to click them, if I get an ad for some new book about computer or whatever I’m way more inclined to click that ad.

The sad truth of it all is that ads are what make the internet possible. Everyone has to pay for hosting or come up with some other business model, which means selling you something else. That or you’re paying out of pocket.

So while I commend Microsoft for implementing Do Not Track I’m going to outright say that this is a bad decision for the internet as a whole. It should be a choice but it should be off by default. Put a little box asking users to enable it at first run if you want, explain to them what it means. But turning off tracking for 50% of the internet is not ‘healthy’ for it.

If the entire world turned on DNT and Adblock the internet would have no way to maintain revenue. It’s not that every site would shut down overnight but tons of sites would have to start paying monthly fees and a lot would shut down.  I’m not saying to turn DNT off, just think about that.

Personally, I run Adblock Plus (which sends a DNT header) and I whitelist any website that I want to support. Adblock Plus already whitelists ads that it considers to be unobtrusive and that is a policy that I wholeheartedly support.

I think this is a really weighted subject and there’s a lot to talk about here but for now this will do.

Sources:

https://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/05/31/advancing-consumer-trust-and-privacy-internet-explorer-in-windows-8.aspx