| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Aug 2003 10:03:29 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "'Fabio Pietrosanti (naif)'" <fabio@...trosanti.it>,
"'BUGTRAQ'" <BUGTRAQ@...urityfocus.com>
Subject: RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you wish, you can deny any traffic using:
Content-Type: application/hta
The fact is even IIS does not have that content type built in, and it does not need it. Further, the need for anyone to legitimately download a HTML Application would be extremely rare. (This is not saying HTML Applications are useless.)
Object tags can have unsafe extensions in the data, for instance, base-64 encoded data is rather popular. (For whatever reason Frontpage automatically puts base-64 encoded data in some activex.)
> -----Original Message-----
> From: Fabio Pietrosanti (naif) [mailto:fabio@...trosanti.it]
> Sent: Monday, August 25, 2003 2:45 AM
> To: BUGTRAQ
> Subject: Re: EEYE: Internet Explorer Object Data Remote
> Execution Vulnerability
>
>
> On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
> > In case anyone needs a SNORT rule to catch attempts to
> exploit this
> > vulnerability:
> >
> > #-----
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet
> > Explorer Object Data Remote Execution Vulnerability"; \
> > content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
> > nocase; flow:from_server, established; \
> > reference:cve,CAN-2003-0532; \
> > classtype:web-application-activity; rev:1;)
> > #-----
>
> This rules catch the response with the exploit's payload from
> the server that may change depending on the exploits so
> matching the CLSID of WSH does not detect the "vulnerability"
> beeing exploited but this specific exploits.
>
> Altought there are many way of exploiting this vuln without
> using the Window Scripting Host, it's possible to use it in
> many way like:
>
> - VBScript
>
> CreateObject("WScript.Shell")
>
> - JavaScript
>
> new ActiveXObject("WScript.shell");
>
> or like in the demostration with the <object> tag .
>
> The only way to detect it is to look at the data sent by the
> client beeing exploited ( which can probably bypassed with
> fancy mhtml base64 encoded e-mail or with an e-mail with a
> link to a site available in https )
>
> For an effective signature we need a regexp that will catch
> everything that start with <object, reach the field data= and
> look at the end of the string inside
> "" matching everything that's NOT an unsafe extension ( .exe,
> .pif, .cab, etc, etc ) .
>
> In perl should be something like:
>
> /date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/
> ( tnx Md )
>
> Regards
>
> --
>
> Fabio Pietrosanti ( naif )
> E-mail: fabio@...trosanti.it - naif@...tpj.org -
> naif@...urezza.org PGP Key available on my homepage:
http://fabio.pietrosanti.it/
- --
Security is a state of being, not a state of budget. rfp
- --
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBP0zkYAkWkugjEnC3EQLRzQCfUA4X7X4q/kxhTTNpblyo17RHOwMAoMNy
t87vTJIMNFpKj6/ESNba3hd0
=RMqw
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists