Friday, May 13, 2005

Time for me to find a new line of work

Ran across "Post-Exploitation on Windows using ActiveX Controls, linked from Slashdot.

Boiled down to the most basic principles, it reads as "we're all screwed":

When exploiting software vulnerabilities it is sometimes impossible to build direct communication channels between a target machine and an attacker's machine due to restrictive outbound filters that may be in place on the target machine's network. Bypassing these filters involves creating a post-exploitation payload that is capable of masquerading as normal user traffic from within the context of a trusted process. One method of accomplishing this is to create a payload that enables ActiveX controls by modifying Internet Explorer's zone restrictions. With ActiveX controls enabled, the payload can then launch a hidden instance of Internet Explorer that is pointed at a URL with an embedded ActiveX control. The end result is the ability for an attacker to run custom code in the form of a DLL on a target machine by using a trusted process that uses one or more trusted communication protocols, such as HTTP or DNS.

The only viable defense against this attack is to have total control over the desktop, and I have yet to find a large corporation where locking down the desktop to the extent required would be politically viable.


Post a Comment

<< Home