[URL="https://thehackernews.com/2016/10/code-injection-attack.html"]Source[/URL]
[QUOTE]Security researchers have discovered a new technique that could allow attackers to inject malicious code on every version of Microsoft's Windows operating system, even Windows 10, in a manner that no existing anti-malware tools can detect, threaten millions of PCs worldwide.
Dubbed "AtomBombing," the technique does not exploit any vulnerability but abuses a designing weakness in Windows.
Besides process level restrictions bypass, the AtomBombing code injection technique also allows attackers to perform man-in-the-middle (MITM) browser attacks, remotely take screenshots of targeted user desktops, and access encrypted passwords stored on a browser.[/QUOTE]
[url]https://github.com/BreakingMalwareResearch/atom-bombing[/url]
Interesting.
I'm not super knowledgeable on the particulars of Windows development.
Is there anyone that could summarize the intended use of the atom table, which is central to this exploit? I understand well enough the use of async procedure calls to exploit the atom table (the particulars of [b]how[/b] to exploit them is a different matter), but I legitimately don't know why the atom table is there in the first place, and the article doesn't really explain it.
[B]UPDATE:[/B]
Nevermind, I decided to not be a lazy git and [b][url=https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx]look it up myself[/url][/b].
In a nutshell, from what I can gather anyways, the atom table is basically a layer of indirection for passing strings around within and between programs: rather than passing the whole string around, you pass the "atom" around, which is a key into the table. So if you want to pass a string that's, say, 1024 characters, you can instead write it into the atom table, and instead of passing the 1024-character string, just pass the 16-bit (same size as 4 characters, classically) atom pointing [B]to[/B] the string instead.
Makes sense, and makes this exploit all the more interesting.
Well shit.
Panic
[QUOTE=AbbaDee;51278004]Well shit.[/QUOTE]
[QUOTE=Britishboy;51278033]Panic[/QUOTE]
It's 'just' yet another privilege escalation vulnerability/exploit (or not even, [URL="https://facepunch.com/fp/link.png"]see below[/URL]), meaning the malicious code has to run locally already.
pretty clever deal
[QUOTE=Tamschi;51278043]It's 'just' yet another privilege escalation vulnerability/exploit, meaning the malicious code has to run locally already.[/QUOTE]
and now we back to the base rule, don't run random_funny.exe
[QUOTE=Matthew0505;51278056]random_funny.exe could fuck your user data even without admin privileges so that rule should have been followed anyway. More important for servers, where you often isolate services into users so an exploit in one service doesn't affect everything.[/QUOTE]
Companies probably too, since this allows an exploit sent per mail to target the whole network under certain circumstances iinm.
Yet another problem protected in full by Common Sense 2016.
Once again, exploits like this are typically coupled with 0days. Common sense, once again, does nothing to stop that. As soon as this comes to light, security software can quickly be updated to mitigate this. This is also assuming that AV vendors already don't actually hook the APC proc.
[editline]29th October 2016[/editline]
This isn't a privilege escalation exploit either, so it won't be able to get administrative access. It'll only be able to attach to processes it has access to (which can for example, however, be a browser.); but at that point you could setup a global key handler, or inject a DLL. Not as dangerous as expected.
(oh and it doesn't work on non NT systems like w98 so nyeh)
[url=http://www.sandboxie.com/]Just protect yourself and never worry again.[/url]
[QUOTE=cwook;51278439]Yet another problem protected in full by Common Sense 2016.[/QUOTE]
"in full"
:v:
the only safe place is to disconnect the internet
or just actually keep physical copies of your passwords etc, like on a piece of paper
(i wish i could stand that tbh. i lose shit all the time, let alone some small scrap of hastily written shit i have to remember every time i use the computer)
[editline]29th October 2016[/editline]
sanity checking web pages when
[QUOTE=cwook;51278439]Yet another problem protected in full by Common Sense 2016.[/QUOTE]
Er, have you seen the US election this year? Common Sense 2016 needs some fucking updating, itself.
[QUOTE=lNloruzenchi;51279564]
or just actually keep physical copies of your passwords etc, like on a piece of paper
[/QUOTE]How will that help since you still have to enter it digitally.
Looks like PEinjection is gonna come back in a big way.
That means that shit like PDF files, once another inevitable bug is found, can infect your shit.
[QUOTE=Radical_ed;51279928]Looks like PEinjection is gonna come back in a big way.
That means that shit like PDF files, once another inevitable bug is found, can infect your shit.[/QUOTE]
This can't really be used for PE injection
[QUOTE=Map in a box;51279985]This can't really be used for PE injection[/QUOTE]
It's undetectable priv escalation though, which means that any program can inject into any other.
[QUOTE=Radical_ed;51280043]It's undetectable priv escalation though, which means that any program can inject into any other.[/QUOTE]
Its not undetectable and its not privilege escalation.
[QUOTE=Map in a box;51280051]Its not undetectable and its not privilege escalation.[/QUOTE]
Unless I misunderstand the exploit, "atombombing" IS priv escalation.
[QUOTE=Radical_ed;51280096]Unless I misunderstand the exploit, "atombombing" IS priv escalation.[/QUOTE]
..but, its not
[editline]29th October 2016[/editline]
[url]http://www.codeproject.com/Articles/11777/InjLib-A-Library-that-implements-remote-code-injec[/url] uses similar methods
[editline]29th October 2016[/editline]
its not even an exploit
[QUOTE=Map in a box;51280101]..but, its not
[editline]29th October 2016[/editline]
[url]http://www.codeproject.com/Articles/11777/InjLib-A-Library-that-implements-remote-code-injec[/url] uses similar methods
[editline]29th October 2016[/editline]
its not even an exploit[/QUOTE]
Isn't it, though?
Being able to execute shell code from a legitimate (privileged) process is escalation by proxy, because if the program that executes it is privileged, so is the shell code.
[editline]29th October 2016[/editline]
If I have the entirely wrong idea please educate me, but that's what I'm getting from the article and a quick skim of the code.
just shut down the atoms
[QUOTE=Matthew0505;51278056]random_funny.exe could fuck your user data even without admin privileges so that rule should have been followed anyway. More important for servers, where you often isolate services into users so an exploit in one service doesn't affect everything.[/QUOTE]
by the way thanks for new 16gb windows to support unicode files
[URL="https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/"]https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/[/URL]
[QUOTE=Radical_ed;51280172]Isn't it, though?
Being able to execute shell code from a legitimate (privileged) process is escalation by proxy, because if the program that executes it is privileged, so is the shell code.
[editline]29th October 2016[/editline]
If I have the entirely wrong idea please educate me, but that's what I'm getting from the article and a quick skim of the code.[/QUOTE]
You can't execute code from a privileged process without being privileged yourself without an escalation exploit.
Sorry, you need to Log In to post a reply to this thread.