Researchers Bypass Internet Explorer Protected Mode

A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he’s successfully exploited a bug on the system.

IE Protected ModeA new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he’s successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. Protected Mode was introduced in Windows Vista and Internet Explorer 7, and other software vendors have followed Microsoft’s lead, introducing sandboxes in applications such as Adobe Reader X and Google Chrome.

The key method through which IE Protected Mode mitigates exploitation of browser bugs is by running many processes in low-integrity mode with very low privileges on the machine. The idea is that even if an attacker is able to exploit a vulnerability and get onto a machine, his code will not be able to do anything of consequence on the PC. However, not all sites and processes are treated equally in Protected Mode.

“Through the hooking of the low integrity Internet Explorer process, the Protected Mode API exposed by the Internet Explorer broker process and other application compatibility techniques, a large number of in-process Internet Explorer extension work in low integrity without modification. However, other more complicated add-ins and applications require modification. As a result of this incompatibility and Microsoft’s dedication to backwards compatibility, not all Internet Explorer zones render their member sites in Protected Mode. Each Internet Explorer zone defines a set of security policies for pages rendered in that zone and enabling Protected Mode is one of the available settings,” researchers at Verizon Business wrote in their paper, “Escaping From Microsoft’s Protected Mode Internet Explorer.”

In their research, the Verizon Business team found a method that, when combined with an existing memory-corruption vulnerability in the browser, enables an attacker to bypass Protected Mode and elevate his privileges on the compromised machine. The technique enables the attacker to move from a relatively un-privileged level to one with higher privileges, giving him complete access to the logged-in user’s account.

“The attack assumes the existence of exploitable memory corruption vulnerability within Internet Explorer or an extension, which is the precise scenario that Protected Mode is supposed to mitigate. Once the initial remote exploit has been used to execute arbitrary code at low integrity on the client, the payload can create a web server listening on any port on the loopback interface, even as a limited user at low integrity. The web server should be able to serve-up the original exploit that allowed remote exploitation in the first instance. Since the exploit will now be launched from the same machine, exploitation can be made significantly more reliable as Address Space Layout Randomisation (ASLR) is no longer effective and other exploitation techniques can be used with higher probabilities of success,” the paper says. “The browser can be instructed to navigate to this new malicious web server using the IELaunchUrl() function, which is callable from low integrity as part of the Protected Mode API. This will cause a new tab to be launched which will navigate to “http://localhost/exploit.html” or similar. The new malicious web page will be rendered in the Local Intranet Zone and the rendering process will now be executing at medium integrity. By exploiting the same vulnerability a second time, arbitrary code execution can now be achieved as the same user at medium integrity. This provides full access to the user’s account and allows malware to be persisted on the client, something which was not possible from low integrity whilst in Protected Mode.”

Other vendors have adopted the sandboxing technique recently, specifically Adobe, which added a sandbox to Reader X. Google also put a sandbox in Chrome several years ago and this week announced that it is adding a sandboxed version of Adobe Flash to future versions of Chrome.

Suggested articles

Discussion

  • Jay on

    Clever

  • antihacker101 on

    that sounds about right.   still waiting for someone to fix this ongoing ping of 2000 per hour since feb 2009.   here it the last couple minutes aka 151 lines already in the logs.

    INFO]Sat Dec 04 09:10:57 2010Allowed configuration authentication by IP address 192.168.0.198
    [INFO]Sat Dec 04 09:10:25 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:73
    [INFO]Sat Dec 04 09:10:25 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:9090
    [INFO]Sat Dec 04 09:10:25 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:9415
    [INFO]Sat Dec 04 09:10:25 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 09:06:40 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 09:06:40 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 09:04:21 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 09:03:56 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8090
    [INFO]Sat Dec 04 09:03:56 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:3246
    [INFO]Sat Dec 04 09:03:42 2010Blocked incoming TCP connection request from 93.63.224.77:2066 to 174.39.178.64:445
    [INFO]Sat Dec 04 09:03:39 2010Above message repeated 1 times
    [WARN]Sat Dec 04 09:03:14 2010A network computer (antihackername) was assigned the IP address of 192.168.0.198.
    [INFO]Sat Dec 04 09:03:14 2010Wireless system with MAC address 0025D3141D1F associated
    [INFO]Sat Dec 04 09:02:44 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8090
    [INFO]Sat Dec 04 09:00:52 2010Blocked incoming TCP connection request from 203.123.190.60:1238 to 174.39.178.64:445
    [INFO]Sat Dec 04 09:00:52 2010Above message repeated 1 times
    [INFO]Sat Dec 04 09:00:22 2010Blocked incoming ICMP packet (ICMP type 8) from 174.39.136.230 to 174.39.178.64
    [INFO]Sat Dec 04 08:59:39 2010Blocked incoming TCP connection request from 174.39.243.199:56164 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:59:13 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:9415
    [INFO]Sat Dec 04 08:59:12 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:59:05 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:59:04 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:58:03 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8090
    [INFO]Sat Dec 04 08:58:03 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:3246
    [INFO]Sat Dec 04 08:58:03 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:9000
    [INFO]Sat Dec 04 08:58:03 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:58:03 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:56:42 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8090
    [INFO]Sat Dec 04 08:56:42 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:9000
    [INFO]Sat Dec 04 08:56:42 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:55:33 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:27977
    [WARN]Sat Dec 04 08:54:53 2010A network computer (antihackername) was assigned the IP address of 192.168.0.198.
    [INFO]Sat Dec 04 08:54:53 2010Wireless system with MAC address 0025D3141D1F associated
    [INFO]Sat Dec 04 08:53:50 2010Wireless system with MAC address 0025D3141D1F disconnected for reason: Received Deauthentication
    [INFO]Sat Dec 04 08:53:13 2010Blocked incoming TCP connection request from 71.42.35.64:4462 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:53:11 2010Above message repeated 1 times
    [INFO]Sat Dec 04 08:52:40 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:52:09 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:2479
    [INFO]Sat Dec 04 08:52:09 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:9090
    [INFO]Sat Dec 04 08:52:09 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:9415
    [INFO]Sat Dec 04 08:52:09 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:51:14 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:49:35 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:47:53 2010Administrator logout
    [INFO]Sat Dec 04 08:46:42 2010Blocked incoming TCP connection request from 222.186.13.212:45412 to 174.39.178.64:9090
    [INFO]Sat Dec 04 08:46:36 2010Above message repeated 1 times
    [INFO]Sat Dec 04 08:46:35 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:46:33 2010Blocked incoming TCP connection request from 222.186.13.212:45412 to 174.39.178.64:9090
    [INFO]Sat Dec 04 08:46:02 2010Blocked incoming TCP connection request from 114.46.139.217:1484 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:46:01 2010Above message repeated 1 times
    [INFO]Sat Dec 04 08:45:24 2010Blocked incoming TCP connection request from 211.6.27.60:3428 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:45:21 2010Above message repeated 1 times
    [INFO]Sat Dec 04 08:45:19 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:73
    [INFO]Sat Dec 04 08:45:19 2010Blocked incoming TCP connection request from 202.102.234.71:34129 to 174.39.178.64:9090
    [INFO]Sat Dec 04 08:45:19 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:2479
    [INFO]Sat Dec 04 08:45:18 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:9415
    [INFO]Sat Dec 04 08:45:18 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:45:16 2010Blocked incoming TCP connection request from 202.102.234.71:34129 to 174.39.178.64:9090
    [INFO]Sat Dec 04 08:44:18 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:73
    [INFO]Sat Dec 04 08:44:18 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:2301
    [INFO]Sat Dec 04 08:44:18 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:2479
    [INFO]Sat Dec 04 08:44:18 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:9090
    [INFO]Sat Dec 04 08:44:18 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:43:44 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:43:39 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:43:39 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:42:39 2010Blocked incoming TCP connection request from 174.39.249.116:2705 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:42:36 2010Above message repeated 1 times
    [INFO]Sat Dec 04 08:41:56 2010Blocked incoming TCP connection request from 178.19.28.240:1391 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:41:54 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8090
    [INFO]Sat Dec 04 08:41:53 2010Blocked incoming TCP connection request from 178.19.28.240:1391 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:41:53 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:9000
    [INFO]Sat Dec 04 08:41:53 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:41:53 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:41:16 2010Blocked incoming TCP connection request from 174.39.249.116:1093 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:41:14 2010Above message repeated 1 times
    [INFO]Sat Dec 04 08:40:48 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:40:29 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:9000
    [INFO]Sat Dec 04 08:38:34 2010Blocked incoming TCP connection request from 83.222.185.9:3208 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:38:31 2010Above message repeated 1 times
    [INFO]Sat Dec 04 08:37:49 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:37:49 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:36:12 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:36:12 2010Blocked incoming TCP connection request from 221.192.199.48:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:35:41 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:3246
    [INFO]Sat Dec 04 08:35:41 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:9000
    [INFO]Sat Dec 04 08:35:41 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8085
    [INFO]Sat Dec 04 08:35:41 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:34:56 2010Blocked incoming TCP connection request from 174.39.194.56:13154 to 174.39.178.64:445
    [INFO]Sat Dec 04 08:34:53 2010Above message repeated 1 times
    [INFO]Sat Dec 04 08:34:49 2010Blocked incoming TCP connection request from 221.192.199.46:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:34:21 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8090
    [INFO]Sat Dec 04 08:34:21 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:9000
    [INFO]Sat Dec 04 08:34:21 2010Blocked incoming TCP connection request from 222.186.13.212:12200 to 174.39.178.64:8085
    [WARN]Sat Dec 04 08:33:03 2010A network computer (antihackername) was assigned the IP address of 192.168.0.198.
    [INFO]Sat Dec 04 08:33:03 2010Wireless system with MAC address 0025D3141D1F associated
    [INFO]Sat Dec 04 08:32:58 2010Wireless system with MAC address 0025D3141D1F disconnected for reason: Received Deauthentication
    [INFO]Sat Dec 04 08:32:57 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:2301
    [INFO]Sat Dec 04 08:32:57 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:2479
    [INFO]Sat Dec 04 08:32:57 2010Blocked incoming TCP connection request from 202.102.234.87:12200 to 174.39.178.64:27977
    [INFO]Sat Dec 04 08:32:28 2010Managed Services: router is not managed by remote server. Next check-in: 86400 sec.
    [INFO]Sat Dec 04 08:32:28 2010Managed Services: PROBE_MANAGED[REQ_OK]
    [INFO]Sat Dec 04 08:32:27 2010Latest firmware version 1.7.5 is available
    [INFO]Sat Dec 04 08:32:26 2010Managed Services: START[TICKLE]
    [INFO]Sat Dec 04 08:32:26 2010Starting WAN Services
    [INFO]Sat Dec 04 08:32:26 2010WAN interface is up. Connection to Internet established with IP Address 174.39.178.64 and default gateway 75.116.227.29
    [INFO]Sat Dec 04 08:32:26 2010WAN device (PPP) on port USB1 returned status_ok status
    [INFO]Sat Dec 04 08:32:26 2010WAN device (PPP) on port USB1 connected
    [INFO]Sat Dec 04 08:32:26 2010PPP network up with IP Address 174.39.178.64
    [INFO]Sat Dec 04 08:32:26 2010PPP recv rcode:2
    [INFO]Sat Dec 04 08:32:26 2010PPP recv rcode:3
    [INFO]Sat Dec 04 08:32:26 2010Above message repeated 2 times
    [INFO]Sat Dec 04 08:32:26 2010PPP recv rcode:4
    [INFO]Sat Dec 04 08:32:26 2010PPP recv rcode:1
    [INFO]Sat Dec 04 08:32:26 2010LCP sets local options: ACCM: 00000000, ACFC: 1, PFC: 1, MRU: 1500
    [INFO]Sat Dec 04 08:32:26 2010PPP recv rcode:2
    [INFO]Sat Dec 04 08:32:26 2010LCP sets remote auth: 00000000
    [INFO]Sat Dec 04 08:32:26 2010LCP sets remote options: ACCM: 00000000, ACFC: 1, PFC: 1, MRU: 1500
    [INFO]Sat Dec 04 08:32:26 2010PPP recv rcode:1
    [INFO]Sat Dec 04 08:32:21 2010WAN device (PPP) on port USB1 returned status_processing status
    [INFO]Sat Dec 04 08:32:21 2010WAN device (PPP) on port USB1 attempting to connect
    [INFO]Sat Dec 04 08:32:20 2010WAN device plugged
    [INFO]Sat Dec 04 08:30:37 2010Allowed configuration authentication by IP address 192.168.0.198
    [WARN]Sat Dec 04 08:30:10 2010A network computer (HPE3C193) was assigned the IP address of 192.168.0.199.
    [WARN]Sat Dec 04 08:30:03 2010A network computer (antihackername) was assigned the IP address of 192.168.0.198.
    [INFO]Sat Dec 04 08:30:03 2010Wireless system with MAC address 0025D3141D1F associated
    [WARN]Sat Dec 04 08:30:00 2010A network computer (68B599E3C193) was assigned the IP address of 192.168.0.199.
    [INFO]Sat Dec 04 08:30:00 2010Wireless system with MAC address 68B599E3C193 associated
    [INFO]Sat Dec 04 08:29:38 2010Wireless link is up
    [INFO]Sat Dec 04 08:29:28 2010Wireless link is down
    [INFO]Sat Dec 04 08:29:28 2010Wireless restart
    [INFO]Sat Dec 04 08:29:28 2010Disconnect all stations
    [INFO]Sat Dec 04 08:29:26 2010Stored configuration to non-volatile memory
    [INFO]Sat Dec 04 08:29:25 2010Unlock AP setup
    [INFO]Sat Dec 04 08:27:52 2010Allowed configuration authentication by IP address 192.168.0.198
    [INFO]Sat Dec 04 08:27:13 2010Above message repeated 1 times
    [WARN]Sat Dec 04 08:27:05 2010Failed configuration authentication attempt by IP address 192.168.0.198
    [WARN]Sat Dec 04 08:26:26 2010A network computer (antihackername) was assigned the IP address of 192.168.0.198.
    [INFO]Sat Dec 04 08:26:25 2010Wireless system with MAC address 0025D3141D1F associated
    [WARN]Sat Dec 04 08:24:37 2010A network computer (HPE3C193) was assigned the IP address of 192.168.0.199.
    [WARN]Sat Dec 04 08:24:27 2010A network computer (68B599E3C193) was assigned the IP address of 192.168.0.199.
    [INFO]Sat Dec 04 08:23:57 2010Wireless system with MAC address 68B599E3C193 associated
    [INFO]Sat Dec 04 08:23:45 2010Starting DHCP server
    [INFO]Sat Dec 04 08:23:44 2010LAN interface is up
  • u3912974 on

    I get the same from the same ip address and the same ports in China and after I block them there are a whole lot more. posting my logs will just get someone telling me that this is normal when it isn't. People are being deuped and there needs to be another device sold in stores that blocks this junk placed between the router and the modem, perhaps?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.