Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability
From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 27 Aug 2003 10:29:50 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Addendum: It has come to our attention that the file extension does not matter. 

So, the only way people should be blocking is this is by blocking by this tag:

Content-Type: application/hta

Cheers.


-----Original Message-----
From: Drew Copley [mailto:dcopley () eeye com] 
Sent: Wednesday, August 27, 2003 10:03 AM
To: 'Fabio Pietrosanti (naif)'; 'BUGTRAQ'
Subject: RE: EEYE: Internet Explorer Object Data Remote 
Execution Vulnerability


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you wish, you can deny any traffic using:

Content-Type: application/hta

The fact is even IIS does not have that content type built 
in, and it does not need it. Further, the need for anyone to 
legitimately download a HTML Application would be extremely 
rare. (This is not saying HTML Applications are useless.)

Object tags can have unsafe extensions in the data, for 
instance, base-64 encoded data is rather popular. (For 
whatever reason Frontpage automatically puts base-64 encoded 
data in some activex.)



-----Original Message-----
From: Fabio Pietrosanti (naif) [mailto:fabio () pietrosanti it]
Sent: Monday, August 25, 2003 2:45 AM
To: BUGTRAQ
Subject: Re: EEYE: Internet Explorer Object Data Remote 
Execution Vulnerability


On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
  In case anyone needs a SNORT rule to catch attempts to
exploit this
vulnerability:

#-----
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"Internet 
Explorer Object Data Remote Execution Vulnerability"; \
        content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
        nocase; flow:from_server, established; \
        reference:cve,CAN-2003-0532; \
        classtype:web-application-activity; rev:1;)
#-----

This rules catch the response with the exploit's payload from
the server that may change depending on the exploits so 
matching the CLSID of WSH does not detect the "vulnerability" 
beeing exploited but this specific exploits.

Altought there are many way of exploiting this vuln without
using the Window Scripting Host, it's possible to use it in 
many way like:

- VBScript

   CreateObject("WScript.Shell")

- JavaScript

  new ActiveXObject("WScript.shell");

or like in the demostration with the <object> tag .

The only way to detect it is to look at the data sent by the
client beeing exploited ( which can probably bypassed with 
fancy mhtml base64 encoded e-mail or with an e-mail with a 
link to a site available in https )

For an effective signature we need a regexp that will catch
everything that start with <object, reach the field data= and 
look at the end of the string inside 
"" matching everything that's NOT an unsafe extension ( .exe, 
.pif, .cab, etc, etc ) .

In perl should be something like:

/date="[^"]+\.(?!exe|bat|pif|cab|scr|etc|etc|antani)([^"])+?"/
   ( tnx Md )

Regards

--

Fabio Pietrosanti ( naif )
E-mail: fabio () pietrosanti it - naif () s0ftpj org -
naif () sikurezza org PGP Key available on my homepage: 
http://fabio.pietrosanti.it/
- --
Security is a state of being, not a state of budget. rfp 
- --

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP0zkYAkWkugjEnC3EQLRzQCfUA4X7X4q/kxhTTNpblyo17RHOwMAoMNy
t87vTJIMNFpKj6/ESNba3hd0
=RMqw
-----END PGP SIGNATURE-----


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP0zqjgkWkugjEnC3EQKOogCeNqFJC5wPvS9n3MNZRZIJY1OSLhwAnjMr
dPDmnRNq/T/WdXkcj+Bh3QY8
=YB1/
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]