Results 1 to 10 of 10

Thread: Privileges give to your web browser

  1. #1
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Privileges given to your web browser

    A lot of people will advise you not to run programs such as web browsers and media players as root, reason being that if the program is exploited, the hacker has full access to your system.

    However, if you run these programs as a normal user, there's still one very big problem: The program has full access to your home folder.

    Now I don't know about anyone else, but the most valuable thing on my machine is my home folder. You could wipe all my applications, all my settings, my entire operating system, and I'll be able to replace it all within a day or two. My home folder however is valuable. I back it up from time to time, but still there's always gonna be stuff that I don't wanna lose.

    So with that said, I think something like a web browser should be run as a different user which doesn't have access to your home folder. That way, even if it the program gets exploited, there's not too much it can do.

    Has anyone ever played around with this before?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Did you look into setting up a jailed environment?
    Tiocfaidh ár lá

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by Virchanza View Post
    A lot of people will advise you not to run programs such as web browsers and media players as root, reason being that if the program is exploited, the hacker has full access to your system.

    However, if you run these programs as a normal user, there's still one very big problem: The program has full access to your home folder.

    Now I don't know about anyone else, but the most valuable thing on my machine is my home folder. You could wipe all my applications, all my settings, my entire operating system, and I'll be able to replace it all within a day or two. My home folder however is valuable. I back it up from time to time, but still there's always gonna be stuff that I don't wanna lose.

    So with that said, I think something like a web browser should be run as a different user which doesn't have access to your home folder. That way, even if it the program gets exploited, there's not too much it can do.

    Has anyone ever played around with this before?
    One suggested method to get around this that I have heard of is to use a browser virtual appliance, e.g.

    Browser Appliance | Virtual Appliance Marketplace


    Of course this is really just running a new OS in a VM and browsing in that VM.

    Using a jail as KMDave suggested is also good.

    In Windows there are various process control tools that can be used to define what particular applications can do (e.g. what registry access can it perform, what files can it write to, etc). Its been a while since I looked at this, but I think the app I was doing this with was WinPooch?

    I don't know if there is a Linux equivalent to that, but you may want to investigate Linux Host Based Intrusion Prevention/Detection systems to see if they will fit the bill for controlling what the browser process can access.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Junior Member
    Join Date
    Apr 2009
    Posts
    43

    Default

    For those interested in Windows process control tools I would suggest checking out Sandboxie

    "Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer."

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Quote Originally Posted by KMDave View Post
    Did you look into setting up a jailed environment?
    Theres a big problem with that, every jail has its flaws, I know a guy who set up like 90% of his system in an almost flawless chroot jail, all run as a secondary user, etc. I would have thought it close to impossible to get into. Until we found a flaw one day... which would have resulted in anyone spawning a root shell....

    ANyway, point of that story is, a jail is good, but it shouldnt be your only protection, regular backups trump an army of HIDS, and firewalls everyday (reverse connection of course)

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by HitThemLow View Post
    Theres a big problem with that, every jail has its flaws, I know a guy who set up like 90% of his system in an almost flawless chroot jail, all run as a secondary user, etc. I would have thought it close to impossible to get into. Until we found a flaw one day... which would have resulted in anyone spawning a root shell....

    ANyway, point of that story is, a jail is good, but it shouldnt be your only protection, regular backups trump an army of HIDS, and firewalls everyday (reverse connection of course)
    Yes, no protection mechanism is perfect. Certain Linux exploits will allow you to break a chroot jail (I believe the udev privilege escalation exploit made public earlier this year can do that), other exploits will allow you to escape from a vm (Immunity's cloudburst) and Im sure there are ways around HIDs systems too. A layered defense is required.

    And yes, backups are one of the most important things you can do, but I don't necessarily think they can be described as trumping firewalls and HIDS, their purposes are too different to allow a comparison. You probably didn't mean that backups can be used instead of a firewall or HIDS, but just in case anyone else gets the impression that thats appropriate....
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Quote Originally Posted by lupin View Post
    And yes, backups are one of the most important things you can do, but I don't necessarily think they can be described as trumping firewalls and HIDS, their purposes are too different to allow a comparison. You probably didn't mean that backups can be used instead of a firewall or HIDS, but just in case anyone else gets the impression that thats appropriate....
    No, not at all what I meant, but I for one know any idiot (well ok not ANY idiot, but alot) can get through firewalls, even with no mapped ports. HIDS is a bit harder, but possible. But, a proper backup system is almost impossible to track down and destroy them all. And in the very worst case, it prolongs the time you have to shut him/her down by hours.

    But when I say proper backups, I mean a reverse connecting system, where the backup machine connects to the server, then the logs are cleaned after wards, leaving it almost spotless. I even saw one that was compiled right into the kernel so noone could even see when it was happening. I dont expect most people to do that, but it was awesome nonetheless

  8. #8
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by HitThemLow View Post
    I for one know any idiot (well ok not ANY idiot, but alot) can get through firewalls, even with no mapped ports.
    If any idiot (or even many idiots) can get through it, the firewall rules probably need to be specified better. Proper filtering on outgoing connections (restricting allowed outbound traffic to what can be controlled) and proxying allowed outbound ports using a decent content inspecting device at least brings things to the level where it takes more than an idiot to get past it.

    An example - all outbound traffic denied by default, you only allow SMTP outgoing from your email server, DNS requests are only allowed outbound from your DNS server and web traffic has to go through a decent web filter that whitelists or inspects inside https and performs content checking on http/ftp traffic, blocking executables, binary content, etc. Using a proper proxy device can severely restrict the ability to tunnel out using the CONNECT method or http encapsulation tunneling (httptunnel).

    Quote Originally Posted by HitThemLow View Post
    I even saw one that was compiled right into the kernel so noone could even see when it was happening. I dont expect most people to do that, but it was awesome nonetheless
    Very cool. Perhaps overkill, but I respect that level of healthy paranoia. Would be a pain having to recompile the kernel whenever you needed to change configuration though (unless the config files were in the filesystem, but then theres a way to detect it...)
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  9. #9
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    If any idiot (or even many idiots) can get through it, the firewall rules probably need to be specified better. Proper filtering on outgoing connections (restricting allowed outbound traffic to what can be controlled) and proxying allowed outbound ports using a decent content inspecting device at least brings things to the level where it takes more than an idiot to get past it.
    Yes a network like that would be hard for an idiot to get through, however, I want you to honestly tell me how many networks you have seen with that kind of security.

    An example - all outbound traffic denied by default, you only allow SMTP outgoing from your email server, DNS requests are only allowed outbound from your DNS server and web traffic has to go through a decent web filter that whitelists or inspects inside https and performs content checking on http/ftp traffic, blocking executables, binary content, etc. Using a proper proxy device can severely restrict the ability to tunnel out using the CONNECT method or http encapsulation tunneling (httptunnel).
    gain, how have you seen like that, im not saying that all firewalls can be bypassed. But I sometimes want to hit my head off my wall at the amount that respond to an ICMP Quench or redirect. Or worse, the amount of ways to utterly destroy the bigger routers with certain BGP and RIP transmissions.

    But I think Inter-Router Protocol are a bit over the top for this thread

    Oh and to quickly mention somehting I found hillarious, during a recent test (consented of course) I found myself in a really tight chmod jail, I mean it was REALLY TIGHT. After about... oh i dont know... three hours of scouring the commands I had outputed (I always output them to a file so I dont make more logs to clean up) I found that although /etc was a no go, one of its children had better access than it... God knows how it happened, slip of the r key or w/e. But I ended up hitting myself since I had read/write to a very nice file I like to call /etc/inetd.conf. Took all of 15 seconds to gain root once I knew the vuln was there D:

    Very cool. Perhaps overkill, but I respect that level of healthy paranoia. Would be a pain having to recompile the kernel whenever you needed to change configuration though (unless the config files were in the filesystem, but then theres a way to detect it...)
    I cant remember exactly, but from what I do, it didnt have a conf file. What it did was listen for a specially forged packet containing everything it needed to know, it was some random reserved Type and Code in an ICMP Datagram. The packet contained (encrypted of course) what it needed to connect to and what they were coming for. From what I remember, it was completely transparent except for when it did its backups, on both machines. And even that would be a **** to break since he used some special checksum/encryption that wasnt standard.

    Yeah, he was paranoid, but I swear, his machine was like albestos is to flame. Un(hack/burn)able except when the world is ending

  10. #10
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by HitThemLow View Post
    Yes a network like that would be hard for an idiot to get through, however, I want you to honestly tell me how many networks you have seen with that kind of security.
    My office network does, and Id suspect many of the clients of our secure gateway provider do (mostly Australian Federal Government). My home network does too, but then again Im paranoid

    Outside of that maybe not too many, but its asking for trouble in this day and age if you dont lock down your firewall in this way in my opinion...

    Quote Originally Posted by HitThemLow View Post
    Oh and to quickly mention somehting I found hillarious, during a recent test (consented of course) I found myself in a really tight chmod jail, I mean it was REALLY TIGHT. After about... oh i dont know... three hours of scouring the commands I had outputed (I always output them to a file so I dont make more logs to clean up) I found that although /etc was a no go, one of its children had better access than it... God knows how it happened, slip of the r key or w/e. But I ended up hitting myself since I had read/write to a very nice file I like to call /etc/inetd.conf. Took all of 15 seconds to gain root once I knew the vuln was there D:
    Yes that will do it. Kind of makes a jail pointless if you do that...


    Quote Originally Posted by HitThemLow View Post
    I cant remember exactly, but from what I do, it didnt have a conf file. What it did was listen for a specially forged packet containing everything it needed to know, it was some random reserved Type and Code in an ICMP Datagram. The packet contained (encrypted of course) what it needed to connect to and what they were coming for. From what I remember, it was completely transparent except for when it did its backups, on both machines. And even that would be a **** to break since he used some special checksum/encryption that wasnt standard.

    Yeah, he was paranoid, but I swear, his machine was like albestos is to flame. Un(hack/burn)able except when the world is ending
    Undoubtedly cool, but sounds like it would be a bitch to maintain though. The company would be in trouble if that guy got hit by a truck.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •