4

If I open my web browser (for example firefox) in Windows 7 with activated UAC as normal user (non admin) a virus - which uses a security leak in my browser - will only gets privileges of the normal user who started the browser.

If the Virus uses a leak in the flash player, how is it possible that the virus can setup deep in the system in places where admin rights are necessary? Does the flash player runs with admin rights (whether the browser runs only with user rights)?

If not, how is it possible for a virus to get deep in the system through a flash player leak if it does not run with admin rights?

Jan Koester
  • 558
  • 3
  • 14
  • Through a privilege escalation exploit. Admin rights are needed to actually do a lot of things, a layer sits between with functions programs can use without admin rights to trigger actions which do. These layers are not flawless and have vulnerabilities in them enabling them to be exploited to escalate the privileges of a process. – ewanm89 Jan 21 '13 at 00:03
  • Don't forget that **whithout** privilege elevation, all stuff store under user lever (your personal stuff) is vulnerable!!! I think that personal stuff are more important than OS system, who could be re-installed! – F. Hauri - Give Up GitHub Jan 21 '13 at 06:35

3 Answers3

9

No virus is possible if the browser has no bug.

No escalation to admin rights is possible if the OS has no bugs.

Unfortunately, bugs happen... in both the OS and the browser. Vulnerabilities which allow a non-admin process to gain admin rights (e.g. this one) are rather common, and it is usually assumed that getting through the browser is the complex part, not obtaining admin rights. Also, with "only" the rights of the user who runs the browser, the malware can plunder your cookies and your data, and grab your site passwords when you type them; this is already quite damaging.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Even if browser has no bug, but one of his plugin (like flash of java, for sample;) do have a bug, we could consider that browser has a bug. – F. Hauri - Give Up GitHub Jan 21 '13 at 06:31
  • So it would be a good idea to use my web browser as another user? I could create a new user "forBrowsing" with no personal data in his home folder. A virus will then have nothing to grab from my computer right? The only thing it could do is steal things from the browser session, like cookies. Passwords will be safe if they are send encrypted and be saved in the browser, so I will not typing them? – Jan Koester Jan 21 '13 at 10:12
  • 1
    @JanKoester: if the browser sends the password, then, at some point, the browser _has_ the password somewhere in memory. If the browser was hijacked, then password retrieval by the virus is a possibility (although it would take a _competent_ virus). – Thomas Pornin Jan 21 '13 at 11:49
3

Depending on what the virus payload intends to do, Admin escalation and OS infection is not even necessary for it to do its job. Lots of things that crimeware is interested in happens in UserSpace, so all you need is access to the user account and session to reap most banking transaction credentials and then contact command and control through HTTP/HTTPS.

If the creators want to root it in deeper, they either need to trick you into bypassing UAC or use exploits that enable them to break out of the attack vector of choice (Flash, Java, OS vulnerability) to either run shellcode with admin rights or buffer overflow/stackspray themselves into running code with system rights. Note that the vulnerable code need not be running as admin, system or service, it merely has to have a vulnerability that does an end run around security.

Fiasco Labs
  • 1,557
  • 10
  • 12
0

An infection of a remote system - be it a browser that is browsing on the wrong pages or be it a server that is hijacked through a malformed request - usually requires 2 steps. You have described the first. Browser needs to be buggy. See this related question.

Second step is called "privilege escalation". This usually refers to the process of "escalating" your OS privileges to local administrator or root. In some cases this is not required because the infected process already runs as admin/root. But you were specifically asking for what happens if the hijacked process has only limited privileges. There are numerous attack vectors for privilege escalation. Bugs in the OS is only one, I would say it is not the most important one. Here are some other popular ones (for windows):

  • Poorly protected services (a very popular one, if the service is writable for everyone you change the exe to one of your choice and change the user to run as to "Local system")
  • Bugs in non-OS services that run with local system rights (like device drivers, there are 100ds of example for this one)
  • The famous c:\program files....\some exe thing. If the path is not quoted, the attacker can create c:\program.exe and when the service is restarted c:\program.exe is executed.
Community
  • 1
kaidentity
  • 2,634
  • 13
  • 30