| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: se_cur_ity at hotmail.com (morning_wood) Subject: Is there a 0day vuln in this phisher's site? if you mean http://www.exploitlabs.com/urlbar.html ... then I sent MS an advisory of this... they are working on a patch. funny... i just noticed my first PoC of this is dated 08/27/04 ( http://www.kb.cert.org/vuls/id/490708 ) is dated 2001 !!! MS response #1 Thank you for sending this report. We're currently investigating this issue, however it looks to be a duplicate of other UI spoofing issues that have been posted. For reference please see the below: http://freehost07.websamba.com/greyhats/dlwinspoof-menu.htm We've worked to address this update in XPSP2 by default in the Internet Zone, and the option exists to enable this mitigation for other zones via the registry or group policy. Please let me know if you issue is a separate vulnerability from the one listed above. MS response #2 Donnie, Thank you for the explanation. I've been doing more research, and it seems that while the proof-of-concept you've provided is different than the one from Greyhats I sent earlier, it still seems that this is a known issue originally discovered by Georgi Guninski and Andrew Clover. I've found a US-CERT Alert on the malicious use of chromeless windows to spoof UI linked below and a CVE entry. I think this is the same issue, if its not please let me know the difference and I apologize for the confusion. We are tracking this issue and working to resolve it. So far the first public fix for this is in XPSP2. You may also look at the Windows Server 2003 SP1 Release Candidate as that should include the mitigations for this issue as well. http://www.kb.cert.org/vuls/id/490708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1410 soo... >So have I. Not to diminish the importance of the attack, but this >assumes the default placement of Address Bar if I'm not mistaken, so if >the user changes their toolbar layout the popup will give itself away, >correct? possibly yes... tested 1. win2k ie6 default bar position - YES 2. winXPsp1 ie6 non default bar position - locked - YES 3. winXPsp2 ie6 default bar position - NO my example provided is different in effect than the MS provided PoC link, but they use the same type of coding cheers, Donnie Werner
Powered by blists - more mailing lists