DEFENSEWALL TEST Part 3

Publié le par nicM and kareldjag




Part III Client/server side attacks and other tests



11° URL obfuscation


DefenseWall doesn’t claim to protect against URL obfuscation. Failed.


12° Internet Explorer exploits


a) WMF exploits

Note : DefenseWall doesn’t claim to prevent exploits themselves, but to control/prevent damages when exploits are used. Therefore all of what is downloaded and executed through the exploits is enclosed within the ‘untrusted zone restrictions. That's the way DefenseWall is protecting against exploits.

That's the reason why some exploits tests results are "failed", even if theses results are such by design : DefenseWall doesn't pretend to prevent exploits, but to control and to limit damages theses exploits can do.


* At http://sipr.net/test.wmf :


The exploit does launch calc.exe and rundll32.exe, but ‘untrusted : Failed.




* At http://testing-onlytherightanswers.com/notepad.tiff :


Here too, the exploit can work, notepad is trying to open the file, while rundll32.exe is running. Failed.


 




* At http://testing-onlytherightanswers.com/notepad.emf :


Idem for this one : Failed.

 




b) Recent and unpatched vulnerabilities


* At http://testing-onlytherightanswer.com/iedie.html :


The test is not prevented by DefenseWall, the browser is crashing. Failed.





* At http://testing-onlytherightanswer.com/TextRange.html :


Idem : Failed.




* The warez site test :


This one does launch a HUGE collection of malwares, starting thanks to the WMF exploit :



Were downloaded : several trojan downloaders (Delf, Small, with several variants for each one) + Tibs, SpySheriff, and a rootkit. Since everything from the payload is launched ‘untrusted, the files are able to start, and  finish by freezing the computer because of the resources hog.  This is quite a mess on the computer during the infection :



You can see there are new icons on the desktop,

for instance.


But the most harmful actions performed by the malwares are blocked, as you can see in these screenshots :

(only five, to illustrate)




DefenseWall is able to kill all ‘untrusted processes, but after a while (due to the resources hog, freezing literally the computer).


But after closing all untrusted processes, the resource hog is disappearing . All files created by the various malwares downloaded can then be seen in the rollback panel, with their registry keys and values :




In this situation, I did reboot without to rollback all theses changes before, to check if the computer was clean after the reboot.

 Result : None of the malware were able to survive the reboot : Of course, prevention of the exploit is failed, but concretely (about the payload and infection), the test is passed.


13° Firefox exploits


* At first link : OE is launched, ‘untrusted. Failed.

But OE is under control :


* At 2nd link : idem. (this one did launch as OE windows as there was memory available (>90), so that the computer is frozen : I had to close 4 or 5 windows to be able to record the screenshots). Failed here too.


c) Link of Death


As expected, the browser is blocked, the prompt keeps reappearing. Failed.


14° Finjan tests


a) Crashing IE


link not working/site down


b) Remote code execution


Link not working, site down


14° Windows accounts and privileges protection


* With AjouteUser : Test passed, the new account can’t be created.


 

 


* With HideUser : Test passed, because the new hidden user can’t be created, lsass.exe is prevented from doing so, although the process is not 'untrusted - but instructed to create the account by HideUser.







* Shatter attack :


The visual basic script and CMD are run as untrusted, and the account can't be created: Passed.



Ilya Rabinovitch answer:There is no shatter attack protection within 1.40, I'm already implemented strong shatter attack protection within 1.60, but it is
not activated due to marketing reasons (I'm going to activate it
within 2.0 version). Anyway, there is no ITW malware with shatter
attack module.


*Privileges protection:


-with Privdropper:


CMD and Privdropper are run as untrusted, but DefenseWall was unable to prevent the deactivation of the SeDebugPrivilege: Failed.






The event can be reversed with the Rollback function, but unfortunately, it was not prevented.


Ilya Rabinovitch answer:There is no need to control privilege level inside untrusted processes. Defense itself is independent to privileges level.


-with Fu:


We're unable to load the required driver for enabling SeDebugPrivilege on defensewall.exe: Passed.




 


*attaching local group (administrator or SYSTEM) privilege on a process with fu: Passed (unable to load the msdirectx.sys driver).



 

 


 

 

 


PART 3 Suite




Publié dans HIPS TESTS

Commenter cet article