lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY10-DAV5E9404CB9809119570013D97B0@phx.gbl>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Is there a 0day vuln in this phisher's site?

if you mean http://www.exploitlabs.com/urlbar.html ...
then I sent MS an advisory of this... they are working on a patch.
funny... i just noticed my first PoC of this is dated 08/27/04

( http://www.kb.cert.org/vuls/id/490708 ) is dated 2001 !!!


MS response #1
Thank you for sending this report.  We're currently investigating this
issue, however it looks to be a duplicate of other UI spoofing issues
that have been posted.  For reference please see the below:

http://freehost07.websamba.com/greyhats/dlwinspoof-menu.htm

We've worked to address this update in XPSP2 by default in the Internet
Zone, and the option exists to enable this mitigation for other zones
via the registry or group policy.  Please let me know if you issue is a
separate vulnerability from the one listed above.

MS response #2
Donnie,

Thank you for the explanation.  I've been doing more research, and it seems
that while the proof-of-concept you've provided is different than the one
from Greyhats I sent earlier, it still seems that this is a known issue
originally discovered by Georgi Guninski and Andrew Clover.  I've found a
US-CERT Alert on the malicious use of chromeless windows to spoof UI linked
below and a CVE entry.  I think this is the same issue, if its not please
let me know the difference and I apologize for the confusion.

We are tracking this issue and working to resolve it.  So far the first
public fix for this is in XPSP2.  You may also look at the Windows Server
2003 SP1 Release Candidate as that should include the mitigations for this
issue as well.

http://www.kb.cert.org/vuls/id/490708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1410


soo...


>So have I. Not to diminish the importance of the attack, but this
>assumes the default placement of Address Bar if I'm not mistaken, so if
>the user changes their toolbar layout the popup will give itself away,
>correct?

possibly yes... tested
1. win2k ie6 default bar position  - YES
2. winXPsp1 ie6 non default bar position - locked - YES
3. winXPsp2 ie6 default bar position - NO

my example provided is different in effect than the MS provided
PoC link, but they use the same type of coding


cheers,

Donnie Werner








Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ