lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 2 Jun 2011 19:19:38 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: yati sagade <yati.sagade@...il.com>, Mitja Kolsek <mitja.kolsek@...os.si>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: COM Server-Based Binary Planting
 ProofOfConcept

I'll call you on that.  Set it up, send it out, and show us how many people IRL you can actually get this to be exploited on.   Your assumptions that the "majority" will fall because of "inherent casualness" has no basis whatsoever, and it just more blah-blah-windows-blah-blah crap from the Windows 95 days.

Seriously.  Put your money where your mouth is.

t

From: yati sagade [mailto:yati.sagade@...il.com]
Sent: Thursday, June 02, 2011 11:57 AM
To: Mitja Kolsek
Cc: Thor (Hammer of God); full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com; Dan Kaminsky
Subject: Re: [Full-disclosure] COM Server-Based Binary Planting ProofOfConcept

Hi,
Nice revelations here. what we need to understand here is that the majority of Windows users there *will* fall for the remote exploit because of their inherent casualness(some actually think that 7 is the nicest OS ever made). I appreciate the efforts taken in finding these exploits, especially on such a closed, undocumented system. Additionally , thanks for those amusing tricks with special folders.

keep up the good job.

regards,

yati
On Thu, Jun 2, 2011 at 9:51 PM, Mitja Kolsek <mitja.kolsek@...os.si<mailto:mitja.kolsek@...os.si>> wrote:

Thor, the "Online Proof of Concept" section of the blog post points you to a *remote*
exploit (without any warning) but let me repeat the link here:

http://www.binaryplanting.com/demo/XP_2-click/test.html

Visit this with IE8 on 32-bit Windows XP.

Please find further information here:

http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html
http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html

In general there are two types of remote binary planting exploits: SMB and WebDAV.
The former works inside (local) networks where firewalls block outbound SMB traffic.
WebDAV attacks work through firewalls too since many firewalls allow outbound WebDAV
traffic and Windows silently fall back to WebDAV if SMB doesn't work. If our online
remote exploit doesn't work for you, you can download the PoC locally and test it in
your local network.

I'll be happy to explain it to you further if need be.

Thanks,
Mitja


> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@...merofgod.com<mailto:thor@...merofgod.com>]
> Sent: Thursday, June 02, 2011 6:00 PM
> To: security@...ossecurity.com<mailto:security@...ossecurity.com>; 'Dan Kaminsky'
> Cc: full-disclosure@...ts.grok.org.uk<mailto:full-disclosure@...ts.grok.org.uk>; bugtraq@...urityfocus.com<mailto:bugtraq@...urityfocus.com>
> Subject: RE: [Full-disclosure] COM Server-Based Binary
> Planting ProofOfConcept
>
> But it *is* worth mentioning that you have to create the
> malicious dll file, copy it to the system, create folders
> etc, and all the other mumbo jumbo to "exploit" this in the
> "default configuration."   So, the answer to Dan's question
> is actually, "no, you can't."  Which brings into question the
> actual "worth" of mentioning this in the first place. :)
>
> t
>
> > -----Original Message-----
> > From: full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk>
> > [mailto:full-disclosure-<mailto:full-disclosure-> bounces@...ts.grok.org.uk<mailto:bounces@...ts.grok.org.uk>] On
> Behalf Of ACROS
> > Security Lists
> > Sent: Thursday, June 02, 2011 8:42 AM
> > To: 'Dan Kaminsky'; security@...ossecurity.com<mailto:security@...ossecurity.com>
> > Cc: full-disclosure@...ts.grok.org.uk<mailto:full-disclosure@...ts.grok.org.uk>; bugtraq@...urityfocus.com<mailto:bugtraq@...urityfocus.com>
> > Subject: Re: [Full-disclosure] COM Server-Based Binary
> Planting Proof
> > OfConcept
> >
> > It would hardly be worth mentioning otherwise.
> >
> > Cheers,
> > Mitja
> >
> > > -----Original Message-----
> > > From: full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk>
> > > [mailto:full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk>] On
> Behalf Of Dan
> > > Kaminsky
> > > Sent: Thursday, June 02, 2011 5:36 PM
> > > To: security@...ossecurity.com<mailto:security@...ossecurity.com>
> > > Cc: si-cert@...es.si<mailto:si-cert@...es.si>; full-disclosure@...ts.grok.org.uk<mailto:full-disclosure@...ts.grok.org.uk>;
> > > bugtraq@...urityfocus.com<mailto:bugtraq@...urityfocus.com>; cert@...t.org<mailto:cert@...t.org>
> > > Subject: Re: [Full-disclosure] COM Server-Based Binary Planting
> > > Proof OfConcept
> > >
> > > Does this run code without prompting, on a reasonably default
> > > configuration?
> > >
> > > On Thu, Jun 2, 2011 at 7:52 AM, ACROS Security Lists
> > > <lists@...os.si<mailto:lists@...os.si>>
> > > wrote:
> > > >
> > > > We published a remote/local proof of concept for the COM
> > > Server-Based
> > > > Binary Planting exploit presented at the Hack in the Box
> > > conference in Amsterdam.
> > > >
> > > > Feel free to try it out online if WebDAV works through your
> > > firewall,
> > > > or download it and test it in your local network or simply
> > > on your computer.
> > > >
> > > >
> > >
> http://blog.acrossecurity.com/2011/06/com-server-based-binary-planti
> > > ng
> > > > -proof.html
> > > > or
> > > > http://bit.ly/iSxHKO
> > > >
> > > > Best regards,
> > > >
> > > > Mitja Kolsek
> > > > CEO&CTO
> > > >
> > > > ACROS, d.o.o.
> > > > Makedonska ulica 113
> > > > SI - 2000 Maribor, Slovenia
> > > > tel: +386 2 3000 280
> > > > fax: +386 2 3000 282
> > > > web: http://www.acrossecurity.com
> > > >
> > > > ACROS Security: Finding Your Digital Vulnerabilities Before
> > > Others Do
> > > >
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ