tag:blogger.com,1999:blog-4838136820032157985.post3871983136202426625..comments2024-03-28T17:48:16.347-07:00Comments on Project Zero: Kaspersky: Mo Unpackers, Mo Problems.Unknownnoreply@blogger.comBlogger17125tag:blogger.com,1999:blog-4838136820032157985.post-23256841396261958882015-09-24T19:10:03.740-07:002015-09-24T19:10:03.740-07:00Your exploit worked in Windows 7. Would it work in...Your exploit worked in Windows 7. Would it work in Windows 10 or with EMET installed and enabled?No Onehttps://www.blogger.com/profile/12548848396382146631noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-44828225739670928932015-09-24T10:36:07.142-07:002015-09-24T10:36:07.142-07:00Why is Windows automagically executing code that i...Why is Windows automagically executing code that is being read to scan for malicious code? Windows just "sees" that it's a DLL (ie: code) and then immediately executes before the scanner can finish scanning? C'mon that's bad!!!<br /><br />So, this payload seems like it could be delivered by spam as an innocent looking .txt file, and the virus scanner will do the rest while scanning email attachments. Scotthttps://www.blogger.com/profile/01762948206787962549noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-86964754177768917072015-09-24T10:26:39.563-07:002015-09-24T10:26:39.563-07:00[quote]This would mean Kaspersky would see the ZIP...[quote]This would mean Kaspersky would see the ZIP file appended to the DLL and then scan my exploit, but Windows would see a valid DLL. [/quote]<br /><br />Why would Windows "see" the valid DLL and then execute it from there? While Kaspersky (or any AV) is scanning, we expect it to read the data without executing it as code. I know it's code, but it should be assumed to be malicious and treated as data at least until scanning is finished. (Sorry, I'm not a Windows dev, but this is fundamentally bad, no?)<br />Scotthttps://www.blogger.com/profile/01762948206787962549noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-90632288455619707192015-09-23T05:38:40.466-07:002015-09-23T05:38:40.466-07:00I think you have to look for "session 0 isola...I think you have to look for "session 0 isolation"<br />http://blogs.technet.com/b/askperf/archive/2007/04/27/application-compatibility-session-0-isolation.aspxAnonymoushttps://www.blogger.com/profile/18320427391939640417noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-4476255566728862252015-09-23T03:54:03.547-07:002015-09-23T03:54:03.547-07:00> I think its possible to see this kind of beha...> I think its possible to see this kind of behavior not only in AV products, but in all kind of products that make some unpack things for analisys, no?<br /><br />Yes, just have a look at wireshark and how many security bugs they have.Anonymoushttps://www.blogger.com/profile/13383489403124340806noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-7943301578734217842015-09-23T02:39:33.620-07:002015-09-23T02:39:33.620-07:00The calculator itself can't be seen on the des...The calculator itself can't be seen on the desktop, because it's being opened on the Desktop of the user account that runs the service.Alexhttps://www.blogger.com/profile/06581790895149577227noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-30620007193629178392015-09-23T01:00:09.978-07:002015-09-23T01:00:09.978-07:00The desktop associated with service account (most ...The desktop associated with service account (most likely LocalSystem or so), as opposed with desktop named "Default" (minus quotes) that is the one the user sees (and user program runs).<br />See https://msdn.microsoft.com/en-us/library/windows/desktop/ms687105(v=vs.85).aspxachttps://www.blogger.com/profile/00491480261876727141noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-60434400021151840102015-09-23T00:58:25.824-07:002015-09-23T00:58:25.824-07:00Most likely then had VS projects dating back when ...Most likely then had VS projects dating back when /GS was not available and importing in a newer VS version let /GS on off. I know it had happened to me as well.achttps://www.blogger.com/profile/00491480261876727141noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-47512016967122504342015-09-22T23:13:37.058-07:002015-09-22T23:13:37.058-07:00On windows, services are prevented from accessing ...On windows, services are prevented from accessing the user's desktop for security reasons. So for compatibility reasons, any service that tries to access the desktop automatically gets re-directed to a special "desktop" specifically for that service, that you normally can't see but through some trickery can switch to and see w/e UI the service showed.robert101https://www.blogger.com/profile/04808494049194483842noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-57761112687917127452015-09-22T22:52:07.213-07:002015-09-22T22:52:07.213-07:00Every user in windows has its own visible desktop....Every user in windows has its own visible desktop. Sometimes referred as shell. You can experience that with user switching (not logging off).<br />The system is a seperate user in every windows system and has its own (usually not visible ) desktop. On that desktop -belonging to the system user- is the calculator started. For example UAC is happening on that system desktop. During UAC a desktop switch occurs and a Screenshot of the user desktop is displayed as dark background<br />Picture with only the messagebox showed asking for permissions on that system desktop. Anonymoushttps://www.blogger.com/profile/11990917693216206213noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-36397965183069554992015-09-22T21:20:20.275-07:002015-09-22T21:20:20.275-07:00Scanning files in a non memory safe language or ou...Scanning files in a non memory safe language or outside of an effective sand box is horrible. AV will scan files as soon as a flash drive is connected, so having av installed is currently a bad idea if you care about security.andrewchambershttps://www.blogger.com/profile/02753522013571524462noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-36698689163725667502015-09-22T20:14:11.874-07:002015-09-22T20:14:11.874-07:00Probably the "desktop" for the SYSTEM ac...Probably the "desktop" for the SYSTEM account on Windows, which you normally wouldn't be able to see. Another way to say it is that it's launched in the context of a different user.Adam Baxterhttps://www.blogger.com/profile/16100164717193352448noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-84897506181796871742015-09-22T20:12:52.287-07:002015-09-22T20:12:52.287-07:00Calc spawned by avp.exe is executed on special ser...Calc spawned by avp.exe is executed on special services session and can't interact with users desktop.<br />This is starting from Vista. XP and prior was able to interact with desktop.B1rdEXhttps://www.blogger.com/profile/03726986947220133563noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-83393516278831501752015-09-22T19:29:54.991-07:002015-09-22T19:29:54.991-07:00What do you mean by "Service Desktop"? G...What do you mean by "Service Desktop"? Google search turned up no results for me.Lee Weihttps://www.blogger.com/profile/00974259560073904012noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-86407459664622163022015-09-22T14:07:22.586-07:002015-09-22T14:07:22.586-07:00> I think its possible to see this kind of beha...> I think its possible to see this kind of behavior not only in AV products, but in all kind of products that make some unpack things for analisys, no?<br /><br />Yes, parsers anywhere can have bugs, but they're especially concerning in widely-used programs with system-level privileges that are expected to run on potentially malicious content.randallhttps://www.blogger.com/profile/04270395955627579493noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-31888127716887199582015-09-22T12:15:16.481-07:002015-09-22T12:15:16.481-07:00More brilliant work by T.O.
Parsing of complex da...More brilliant work by T.O.<br /><br />Parsing of complex data files is a common source of vulnerabilities. Has anyone attempted to make a source code collection of secure file parsers for formats like CHM, DEX and UPX, not to mention PDF, all the graphics formats, etc.?<br /><br />>>Kaspersky did not enable /GS...<br /><br />WTF?!?! In fact, as the author goes on to say, it appears that Kaspersky actively disabled /GS<br /><br />>>In future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges. <br /><br />Absolutely. Larry Seltzerhttps://www.blogger.com/profile/12802131529713319717noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-25410561747346937112015-09-22T10:40:53.597-07:002015-09-22T10:40:53.597-07:00Amazing job Tavis! Congratulations.
I think its p...Amazing job Tavis! Congratulations.<br /><br />I think its possible to see this kind of behavior not only in AV products, but in all kind of products that make some unpack things for analisys, no?<br /><br />Regards!<br /><br />MarcoAnonymoushttps://www.blogger.com/profile/02083702052097491821noreply@blogger.com