As you
might guess, the trust level increases and security restrictions are relaxed as you progress
along the zone list. Scripting and safe-for-scripting ActiveX controls are allowed in the
Internet zone but IE won??™t pass NTLM authentication credentials. Sites loaded in the
Intranet zone are assumed to have some level of trust, and some security restrictions
are relaxed, enabling Intranet line-of-business applications to work. The Local Machine
zone (LMZ) is where things get really interesting to the attacker, though.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
362
Before Windows XP Service Pack 2, web pages loaded in the LMZ could run unsigned
or unsafe ActiveX controls, could run Java applets without prompt, and could run all
kinds of super dangerous stuff that attackers would love to be able to do from their attack
web page. It was basically trivial for attackers to install malware onto a victim workstation
if they could get their web page loaded in the LMZ. These attacks were called zone elevation
attacks, and their goal was to jump cross-zone (from the Internet zone to the Local
Machine zone, for instance) to run scripts with fewer security restrictions. As we look next
at real-world client-side attack examples, you will understand why attackers would try so
hard and jump through so many hoops to get an attack web page loaded in the LMZ.
Pages:
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653