lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000301c37973$7105eec0$2b02a8c0@dcopley>
Date: Fri, 12 Sep 2003 14:18:41 -0700
From: "Drew Copley" <dcopley@...e.com>
To: <cjclark@...m.mit.edu>
Cc: "'Nathan Wallwork'" <owen@...gent.org>,
   "'GreyMagic Software'" <security@...ymagic.com>,
   "'Bugtraq'" <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   <http-equiv@...ite.com>, "'NTBugtraq'" <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
   <vulnwatch@...nwatch.org>
Subject: RE: BAD NEWS: Microsoft Security Bulletin MS03-032




> -----Original Message-----
> From: Crist J. Clark [mailto:cristjc@...cast.net] 
> Sent: Friday, September 12, 2003 2:00 PM
> To: Drew Copley
> Cc: 'Nathan Wallwork'; 'GreyMagic Software'; 'Bugtraq'; 
> full-disclosure@...ts.netsys.com; http-equiv@...ite.com; 
> 'NTBugtraq'; vulnwatch@...nwatch.org
> Subject: Re: BAD NEWS: Microsoft Security Bulletin MS03-032
> 
> 
> On Tue, Sep 09, 2003 at 01:51:25PM -0700, Drew Copley wrote:
> > > -----Original Message-----
> > > From: Nathan Wallwork [mailto:owen@...gent.org]
> > > Sent: Tuesday, September 09, 2003 1:18 PM
> > > 
> > > On Mon, 8 Sep 2003, Drew Copley wrote:
> > > > The only sure way to detect this, I already wrote about [to
> > > Bugtraq].
> > > > That is by setting a firewall rule which blocks the
> > > dangerous mimetype
> > > > string
> > > > [Content-Type: application/hta]. Everything else in the
> > > exploit can change.
> > > 
> > > Just so we are clear, the firewall wouldn't tbe he right
> > > place to catch 
> > > this because that string could be split by packet 
> > > fragmentation, so you'd 
> > > need to look for it at an application level, after the 
> data stream 
> > > has been reassembled.  
> > 
> > Yes, I mean "IPS rule" - "firewall rule" is a bit 
> inaccurate- just a 
> > traditional term. Any IPS that does not handle 
> fragmentation, though, 
> > has some serious problems.
> 
> s/fragmentation/fragmentation and TCP reassembly/
> 
> You'd need both, and they are different things.

Yes, you do in IPS. TCP packets can be reordered within their session and
they can be fragmented as well... You can well make mincemeat of your IPS if
it can not properly handle such situations. 

But, I am at a loss to see how this applies to this subject. Maybe I am
missing something obvious. Who knows? It is Friday. 

Maybe in the sense that *whatever protection* one may have, one should still
fix one's system. This is best practice.

The most popular question I have on this is "will this workaround hurt my
system". No, no it well not. This mimetype is absolutely useless, as I
noted, even to running htas.

I think very few have performed the workaround. 

BTW, safecenter.net, I believe, now has an SSL version of this attack, I
believe it was, kudos to Dror Shalev... So that kind of makes the whole
AV/IPS issue moot. So, case is point, why we should follow "best pratice".

And, another note, we have found worms like this in the wild. What do they
do? They trojanize your system with a bug that calls you to dail up 900 porn
numbers. The next worst thing to posting your keylogs to the Usenet.

No?

Friggin spammers.

> -- 
> Crist J. Clark                     |     cjclark@...m.mit.edu
>                                    |     cjclark@....edu
> http://people.freebsd.org/~cjc/    |     cjc@...ebsd.org
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ