Message-ID: <200407012025.i61KP1lj004888@web129.megawebservers.com>
From: 1 at malware.com (http-equiv@...ite.com)
Subject: SUPER SPOOF  DELUXE Re: Microsoft and Security


Yes of course.

Two tiny problems though:

1. your little scriplet doesn't work for me. I get:

'W.frames.2.location' is null or not an object

2. If as you claim this is "standard practice" then there is 
something wrong with these browsers as it apparently does not 
work on them:

The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux

http://secunia.com/advisories/11978/

Perhaps someone who really knows will enlighten us all.

Thor Larholm <thor@...x.com> said:

> > From: http-equiv@...ite.com [mailto:1@...ware.com] 
> 
> Your subject makes it sound like this is a spoofing 
vulnerability when
> in fact this is expected functionality that has been around 
since
> Netscape 2 and IE3 which does not grant additional privileges 
of any
> kind and requires the user to activate WindowsUpdate from your 
site.
> 
> > Here's a quick and dirty demo injecting malware.com into 
> > windowsupdate.microsoft.com :)
> > http://www.malware.com/targutted.html 
> 
> Your script opens a new window and then uses a timer to change 
the
> location of whatever window object has focus. This does not 
switch
> security zone or even protocol, all it does is to load your 
site into a
> subframe of another site. You can accomplish the exact same 
without
> trying to 'trick' anything by using the following 2 lines:
> 
> W=window.open("http://v4.windowsupdate.microsoft.com");
> W.frames[2].location.href = "http://pivx.com/";
> 
> This is no different than loading WindowsUpdate in a frame on 
your own
> site.
> 
> It has always been standard practice that you can change, but 
not read,
> the location of any window object to a site from the same 
protocol and
> security zone. A frame is a window object and all window 
objects are
> safely exposed because they by themselves does not reveal any
> information about the site inside the frame. You can get a 
handle of any
> window object to any depth because the frames collection is 
also safely
> exposed. This does not give you any kind of access to the 
document
> object inside, which would be necessary for any kind of code 
injection
> or cookie theft.
> 
> 
> 
> 
> 
> 
> Regards
> 
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 23 Corporate Plaza #280
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@...x.com
> Stock symbol: (PIVX.OB)
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
> 
> PivX defines a new genre in Desktop Security: Proactive Threat
> Mitigation. 
> <http://www.pivx.com/qwikfix>
> -----Original Message-----
> From: http-equiv@...ite.com [mailto:1@...ware.com] 
> Sent: Tuesday, June 29, 2004 11:41 AM
> To: bugtraq@...urityfocus.com
> Cc: NTBugtraq@...tserv.ntbugtraq.com
> Subject: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft 
and Security
> 
> 
> 
> 
> Thomas Kessler was kind enough to inform that this is not new, 
but in
> fact on old "issue" with Internet Explorer which by all 
accounts was
> supposed to be "patched" back in 1998[?]:
> 
> Microsoft Security Program: Microsoft Security Bulletin (MS98-
> 020) Patch Available for 'Frame Spoof' Vulnerability
> 
> http://www.microsoft.com/technet/security/bulletin/ms98-
020.mspx
> 
> Quite clearly this contraption known as Internet Explorer is 
just
> broken. It's oozing pus from every pore at this stage.
> 
> If indeed the issues are the exact same. 
> 
> You'd better wipe hands of it anyway.
> 
> We give up.
> 
> --
> http://www.malware.com
> 
> 
> 



-- 
http://www.malware.com

Powered by blists - more mailing lists