lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000d01c462fa$98200d80$3200000a@alex>
Date: Tue, 06 Jul 2004 03:43:05 +0200
From: Jelmer <jkuperus@...net.nl>
To: 'Thor Larholm' <thor@...x.com>, 'Drew Copley' <dcopley@...e.com>,
	'Windows NTBugtraq Mailing List' <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
	bugtraq@...urityfocus.com
Subject: RE: Registry Fix For Variant of Scob


No reason to set the kill bit?

Take a look at
http://seclists.org/lists/fulldisclosure/2004/Jun/0318.html

And I am quoting you now

"You should be able to use this to compromise Windows XP SP2 through 
Internet Explorer despite the My Computer zone hardening since the 
Trusted Sites Zone has all of the privileges you need to plant and 
execute a file."

(I have no idea if this is correct btw, sp2 hasn't touched my system yet)

So what's it going to be Thor

Do you want to retract the aforementioned statement
Or this post

You can't have it both ways you know

  --jelmer


-----Original Message-----
From: Thor Larholm [mailto:thor@...x.com] 
Sent: zondag 4 juli 2004 0:48
To: Drew Copley; Windows NTBugtraq Mailing List; bugtraq@...urityfocus.com
Subject: RE: Registry Fix For Variant of Scob

Setting the kill bit on the "Shell.Application" ActiveX object, or any
other ActiveX, is a system wide configuration change. This is also the
reason for the incompatibility issues you are mentioning, but there is
no reason to kill the bird to secure the nest.

The problem here is not the ADODB.Stream or Shell.Application objects,
the problem is the insecure My Computer zone in Internet Explorer. Your
registry fix will have adverse functionality regressions on any Windows
administrator that use WSH when there is no reason for this. ActiveX
objects are used in many hosts of which IE is just one, others include
Jscript, VBScript, HTML Applications and WSH, all of which run outside
of the browser and require executional privileges to launch in the first
place.

The prerequisite for even having privileges enough to launch the
Shell.Application ActiveX object inside IE is to have script running in
the My Computer zone. Locking down this zone will completely prevent
this exploit, without introduing functionality regressions in other
parts of Windows. In fact, if you had implemented the registry changes I
described back in early September 2003 you would have been safe against
all the command execution vulnerabilities that have subsequently been
discovered - including ADODB.Stream and Shell.Application who are
themselves just minor components of a larger exploit prerequisite.

http://www.securityfocus.com/archive/1/346174/2003-11-30/2003-12-06/0

I am sure that tomorrow, next week and next month we will find even more
ways to exploit insecure zone privileges in IE. You can either try to
fix the root cause once or you can try to treat each new symptom as it
is discovered.

There is no need to hurridly introduce last-minute system wide
functionality regressions such as killbitting Shell.Application, all you
need to do is lock down the My Computer zone in IE properly. We
implemented this in Qwik-Fix last September and have since then not had
to worry about exploits that target these design principles in IE.
Instead, we have been able to focus our efforts on securing other parts
of Windows as opposed to scramble to cope up with each new exploit from
jelmer or http-equiv. You can get a free copy of Qwik-Fix Pro at

http://qwik-fix.net

All software is inherently insecure, the difference is in how you treat
that insecurity. 


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Drew Copley [mailto:dcopley@...e.com] 
Sent: Friday, July 02, 2004 2:33 PM
To: Windows NTBugtraq Mailing List; bugtraq@...urityfocus.com
Subject: Registry Fix For Variant of Scob


About the same time Jelmer found the adodb bug, http-equiv found a
similiar issue with the object "Shell.Application".

This issue has also been unfixed for the past ten months.

Unfortunately, Microsoft has not taken the "hint" and not
fixed this issue either.

Jelmer has noted this and made a proof of concept exploit
page here: http://62.131.86.111/security/idiots/malware2k/installer.htm


The below registry file will protect you from this exploit
by kill biting "Shell.Application" variant.

<------------------------------------------->
Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{13709620-C279-11CE-A49E-444553540000}]
"Compatibility Flags"=dword:00000400
<-------------------------------------------->

I will be updating our free fix download here:
http://www.eeye.com/html/research/alerts/AL20040610.html

This will break some hta scripts that might be used
for management. It may cause some incompatibility issues
with some programs.

Shell.Application is commonly used by administrators
for administration of systems via Visual basic script
or WSH. It may have other uses. It is kind of Microsoft's answer to
shell script -- though not as happy as batch.







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ