|
Bugtraq
mailing list archives
RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability
From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 27 Aug 2003 10:29:50 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Addendum: It has come to our attention that the file extension does not matter.
So, the only way people should be blocking is this is by blocking by this tag:
Content-Type: application/hta
Cheers.
-----Original Message-----
From: Drew Copley [mailto:dcopley () eeye com]
Sent: Wednesday, August 27, 2003 10:03 AM
To: 'Fabio Pietrosanti (naif)'; 'BUGTRAQ'
Subject: RE: EEYE: Internet Explorer Object Data Remote
Execution Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you wish, you can deny any traffic using:
Content-Type: application/hta
The fact is even IIS does not have that content type built
in, and it does not need it. Further, the need for anyone to
legitimately download a HTML Application would be extremely
rare. (This is not saying HTML Applications are useless.)
Object tags can have unsafe extensions in the data, for
instance, base-64 encoded data is rather popular. (For
whatever reason Frontpage automatically puts base-64 encoded
data in some activex.)
-----Original Message-----
From: Fabio Pietrosanti (naif) [mailto:fabio () pietrosanti it]
Sent: Monday, August 25, 2003 2:45 AM
To: BUGTRAQ
Subject: Re: EEYE: Internet Explorer Object Data Remote
Execution Vulnerability
On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
In case anyone needs a SNORT rule to catch attempts to
exploit this
vulnerability:
#-----
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Internet
Explorer Object Data Remote Execution Vulnerability"; \
content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
nocase; flow:from_server, established; \
reference:cve,CAN-2003-0532; \
classtype:web-application-activity; rev:1;)
#-----
This rules catch the response with the exploit's payload from
the server that may change depending on the exploits so
matching the CLSID of WSH does not detect the "vulnerability"
beeing exploited but this specific exploits.
Altought there are many way of exploiting this vuln without
using the Window Scripting Host, it's possible to use it in
many way like:
- VBScript
CreateObject("WScript.Shell")
- JavaScript
new ActiveXObject("WScript.shell");
or like in the demostration with the <object> tag .
The only way to detect it is to look at the data sent by the
client beeing exploited ( which can probably bypassed with
fancy mhtml base64 encoded e-mail or with an e-mail with a
link to a site available in https )
For an effective signature we need a regexp that will catch
everything that start with <object, reach the field data= and
look at the end of the string inside
"" matching everything that's NOT an unsafe extension ( .exe,
.pif, .cab, etc, etc ) .
In perl should be something like:
/date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/
( tnx Md )
Regards
--
Fabio Pietrosanti ( naif )
E-mail: fabio () pietrosanti it - naif () s0ftpj org -
naif () sikurezza org PGP Key available on my homepage:
http://fabio.pietrosanti.it/
- --
Security is a state of being, not a state of budget. rfp
- --
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBP0zkYAkWkugjEnC3EQLRzQCfUA4X7X4q/kxhTTNpblyo17RHOwMAoMNy
t87vTJIMNFpKj6/ESNba3hd0
=RMqw
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBP0zqjgkWkugjEnC3EQKOogCeNqFJC5wPvS9n3MNZRZIJY1OSLhwAnjMr
dPDmnRNq/T/WdXkcj+Bh3QY8
=YB1/
-----END PGP SIGNATURE-----
 By Date 
By Thread
Current thread:
- Re: EEYE: Internet Explorer Object Data Remote Execution Vulnerability, (continued)
|
Intro
