[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY10-DAV5E9404CB9809119570013D97B0@phx.gbl>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Is there a 0day vuln in this phisher's site?
if you mean http://www.exploitlabs.com/urlbar.html ...
then I sent MS an advisory of this... they are working on a patch.
funny... i just noticed my first PoC of this is dated 08/27/04
( http://www.kb.cert.org/vuls/id/490708 ) is dated 2001 !!!
MS response #1
Thank you for sending this report. We're currently investigating this
issue, however it looks to be a duplicate of other UI spoofing issues
that have been posted. For reference please see the below:
http://freehost07.websamba.com/greyhats/dlwinspoof-menu.htm
We've worked to address this update in XPSP2 by default in the Internet
Zone, and the option exists to enable this mitigation for other zones
via the registry or group policy. Please let me know if you issue is a
separate vulnerability from the one listed above.
MS response #2
Donnie,
Thank you for the explanation. I've been doing more research, and it seems
that while the proof-of-concept you've provided is different than the one
from Greyhats I sent earlier, it still seems that this is a known issue
originally discovered by Georgi Guninski and Andrew Clover. I've found a
US-CERT Alert on the malicious use of chromeless windows to spoof UI linked
below and a CVE entry. I think this is the same issue, if its not please
let me know the difference and I apologize for the confusion.
We are tracking this issue and working to resolve it. So far the first
public fix for this is in XPSP2. You may also look at the Windows Server
2003 SP1 Release Candidate as that should include the mitigations for this
issue as well.
http://www.kb.cert.org/vuls/id/490708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1410
soo...
>So have I. Not to diminish the importance of the attack, but this
>assumes the default placement of Address Bar if I'm not mistaken, so if
>the user changes their toolbar layout the popup will give itself away,
>correct?
possibly yes... tested
1. win2k ie6 default bar position - YES
2. winXPsp1 ie6 non default bar position - locked - YES
3. winXPsp2 ie6 default bar position - NO
my example provided is different in effect than the MS provided
PoC link, but they use the same type of coding
cheers,
Donnie Werner
Powered by blists - more mailing lists