lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 25 Aug 2003 11:44:58 +0200
From: "Fabio Pietrosanti (naif)" <fabio@...trosanti.it>
To: BUGTRAQ <BUGTRAQ@...urityfocus.com>
Subject: Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability


On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
>   In case anyone needs a SNORT rule to catch attempts to exploit this 
> vulnerability:
> 
> #-----
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet 
> Explorer Object Data Remote Execution Vulnerability"; \
>         content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
>         nocase; flow:from_server, established; \
>         reference:cve,CAN-2003-0532; \
>         classtype:web-application-activity; rev:1;)
> #-----

This rules catch the response with the exploit's payload from the server that
may change depending on the exploits so matching the CLSID of WSH does not
detect the "vulnerability" beeing exploited but this specific exploits.

Altought there are many way of exploiting this vuln without using the Window
Scripting Host, it's possible to use it in many way like:

- VBScript

   CreateObject("WScript.Shell")

- JavaScript  

  new ActiveXObject("WScript.shell"); 

or like in the demostration with the <object> tag .

The only way to detect it is to look at the data sent by the client beeing
exploited ( which can probably bypassed with fancy mhtml base64 encoded e-mail
or with an e-mail with a link to a site available in https )

For an effective signature we need a regexp that will catch everything
that start with <object, reach the field data= and look at the end of the string inside 
"" matching everything that's NOT an unsafe extension ( .exe, .pif, .cab, etc, etc ) .

In perl should be something like:

/date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/   ( tnx Md ) 

Regards

--

Fabio Pietrosanti ( naif )
E-mail: fabio@...trosanti.it - naif@...tpj.org - naif@...urezza.org
PGP Key available on my homepage: http://fabio.pietrosanti.it/
--
Security is a state of being, not a state of budget. rfp 
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ