lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D8B5B1B@mail.pivx.com>
Date: Thu, 1 Jul 2004 12:49:31 -0700
From: "Thor Larholm" <thor@...x.com>
To: <1@...ware.com>, <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: RE:  SUPER SPOOF  DELUXE Re: Microsoft and Security


> From: http-equiv@...ite.com [mailto:1@...ware.com] 

Your subject makes it sound like this is a spoofing vulnerability when
in fact this is expected functionality that has been around since
Netscape 2 and IE3 which does not grant additional privileges of any
kind and requires the user to activate WindowsUpdate from your site.

> Here's a quick and dirty demo injecting malware.com into 
> windowsupdate.microsoft.com :)
> http://www.malware.com/targutted.html 

Your script opens a new window and then uses a timer to change the
location of whatever window object has focus. This does not switch
security zone or even protocol, all it does is to load your site into a
subframe of another site. You can accomplish the exact same without
trying to 'trick' anything by using the following 2 lines:

W=window.open("http://v4.windowsupdate.microsoft.com");
W.frames[2].location.href = "http://pivx.com/";

This is no different than loading WindowsUpdate in a frame on your own
site.

It has always been standard practice that you can change, but not read,
the location of any window object to a site from the same protocol and
security zone. A frame is a window object and all window objects are
safely exposed because they by themselves does not reveal any
information about the site inside the frame. You can get a handle of any
window object to any depth because the frames collection is also safely
exposed. This does not give you any kind of access to the document
object inside, which would be necessary for any kind of code injection
or cookie theft.






Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: http-equiv@...ite.com [mailto:1@...ware.com] 
Sent: Tuesday, June 29, 2004 11:41 AM
To: bugtraq@...urityfocus.com
Cc: NTBugtraq@...tserv.ntbugtraq.com
Subject: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security




Thomas Kessler was kind enough to inform that this is not new, but in
fact on old "issue" with Internet Explorer which by all accounts was
supposed to be "patched" back in 1998[?]:

Microsoft Security Program: Microsoft Security Bulletin (MS98-
020) Patch Available for 'Frame Spoof' Vulnerability

http://www.microsoft.com/technet/security/bulletin/ms98-020.mspx

Quite clearly this contraption known as Internet Explorer is just
broken. It's oozing pus from every pore at this stage.

If indeed the issues are the exact same. 

You'd better wipe hands of it anyway.

We give up.

--
http://www.malware.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ