Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability
From: "Fabio Pietrosanti (naif)" <fabio () pietrosanti it>
Date: Mon, 25 Aug 2003 11:44:58 +0200

On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
  In case anyone needs a SNORT rule to catch attempts to exploit this 
vulnerability:

#-----
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet 
Explorer Object Data Remote Execution Vulnerability"; \
        content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
        nocase; flow:from_server, established; \
        reference:cve,CAN-2003-0532; \
        classtype:web-application-activity; rev:1;)
#-----

This rules catch the response with the exploit's payload from the server that
may change depending on the exploits so matching the CLSID of WSH does not
detect the "vulnerability" beeing exploited but this specific exploits.

Altought there are many way of exploiting this vuln without using the Window
Scripting Host, it's possible to use it in many way like:

- VBScript

   CreateObject("WScript.Shell")

- JavaScript  

  new ActiveXObject("WScript.shell"); 

or like in the demostration with the <object> tag .

The only way to detect it is to look at the data sent by the client beeing
exploited ( which can probably bypassed with fancy mhtml base64 encoded e-mail
or with an e-mail with a link to a site available in https )

For an effective signature we need a regexp that will catch everything
that start with <object, reach the field data= and look at the end of the string inside 
"" matching everything that's NOT an unsafe extension ( .exe, .pif, .cab, etc, etc ) .

In perl should be something like:

/date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/   ( tnx Md ) 

Regards

--

Fabio Pietrosanti ( naif )
E-mail: fabio () pietrosanti it - naif () s0ftpj org - naif () sikurezza org
PGP Key available on my homepage: http://fabio.pietrosanti.it/
--
Security is a state of being, not a state of budget. rfp 
--


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault