lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Jan 27 00:26:11 2006
From: yossarian at planet.nl (yossarian)
Subject: Re: [security] What A Click! [Internet Explorer]

There is an easy trick to avoid a .HTA related 'thingie' such as this one: 
tell your windows to open .HTA files in notepad.  It broke the beautifull 
PoC I guess, had it in place as long as this particular machine (2 years or 
so), it never broke anything before.

Second hint for people protecting lusers: design a nice corporate colors 
standard theme and disable the standard theme. Exit this kind of attack 
(since there are more ways to cover windows with malicious lookalikes).

regards,

yossarian

----- Original Message ----- 
From: "mikx" <mikx@...x.de>
To: <full-disclosure@...ts.grok.org.uk>
Cc: <bugtraq@...urityfocus.com>
Sent: Tuesday, January 24, 2006 8:06 PM
Subject: [security] What A Click! [Internet Explorer]


> It's now almost 18 months ago that i posted my first security advisory 
> "What A Drag! -revisited-", seems to be a good time to post "What A 
> Click!".
>
> Both bugs had about the same exploit potential, but i assume this one will 
> have far less impact and media response (which i consider a great thing 
> for various reasons). Thanks to everybody who researched, worked, chatted, 
> discussed and got drunk with me in the last months to make this change 
> happen - you know who you are.
>
> __Summary
>
> Using custom Microsoft Agent characters it is possible to cover any kind 
> of windows, including security or download dialogs. This is an expected 
> feature of the Microsoft Agent control. To quote the product homepage: 
> "Animations are drawn on top of any underlying application window, 
> characters are not bounded within their own, separate window" 
> (http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom 
> characters can be created with tools downloadable from that homepage.
>
> Because custom characters are fully scriptable, can have any kind of shape 
> and are downloaded automaticly, this can be used as a flexible tool to 
> cover and/or spoof any kind of window and lure the user to execute 
> arbitrary code by performing one or two clicks (depening on security zone 
> configuration and Windows version).
>
> __Proof-of-Concept
>
> http://www.mikx.de/fireclicking/
>
> The PoC is designed for Internet Explorer 6 on Windows XP SP2 in Windows 
> classic theme. By clicking on the button in the upper left corner you 
> start the download of a hta file. The download dialog gets covered by a 
> Microsoft Agent character which fakes a button (basicly a large white 
> image with a button border in the middle). Move the character by dragging 
> to see how it uses a "transparent spot" to make room for clicking on the 
> underlying dialog through the button space. Transparent areas in 
> characters are really "not there", meaning you can click through them.
>
> When you click that button you execute arbitraty code in the hta file, in 
> this case you create the folder "c:\booom!". The button in the upper left 
> corner is only need to get around the "drive by download" protection of 
> Windows. When this protection is not in place (e.g. on Windows 2000) this 
> PoC could be reduced to a single click interaction to execute arbitrary 
> code.
>
> __Status
>
> The bug got fixed as part of the Microsoft Security Bulletin MS05-032 
> (yeah, last summer).
>
> The patch adds an additional security dialog before loading a custom agent 
> character. Be aware that in trusted zones that dialog might not raise.
>
> 2004-10-04 Vendor informed
> 2004-10-06 Vendor opened case, could not repro
> 2004-10-06 Vendor got new testcase
> 2004-10-12 Vendor confirmed bug
> 2005-06-14 Vendor relased patch and advisory
> 2006-01-22 Public disclosure
>
> __Affected Software
>
> Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003 with 
> different severity. See Microsoft Security Bulletin MS05-032 for details.
>
> __Contact
>
> Michael Krax <mikx@...x.de>
> http://www.mikx.de/
>
> mikx
>
>
> _______________________________________________
> Get your free port scan here: http://www.seifried.org/freescan2/
>
> security mailing list
> security@...ts.seifried.org
> https://lists.seifried.org/mailman/listinfo/security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ