Home page logo

bugtraq logo Bugtraq mailing list archives

RE: EEYE: Internet Explorer Object Data Remote Execution Vulnerability
From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 27 Aug 2003 10:03:29 -0700

Hash: SHA1

If you wish, you can deny any traffic using:

Content-Type: application/hta

The fact is even IIS does not have that content type built in, and it does not need it. Further, the need for anyone to 
legitimately download a HTML Application would be extremely rare. (This is not saying HTML Applications are useless.)

Object tags can have unsafe extensions in the data, for instance, base-64 encoded data is rather popular. (For whatever 
reason Frontpage automatically puts base-64 encoded data in some activex.)

-----Original Message-----
From: Fabio Pietrosanti (naif) [mailto:fabio () pietrosanti it] 
Sent: Monday, August 25, 2003 2:45 AM
Subject: Re: EEYE: Internet Explorer Object Data Remote 
Execution Vulnerability

On Fri, Aug 22, 2003 at 11:27:33AM +0300, Nerijus Krukauskas wrote:
  In case anyone needs a SNORT rule to catch attempts to 
exploit this

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet
Explorer Object Data Remote Execution Vulnerability"; \
        content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
        nocase; flow:from_server, established; \
        reference:cve,CAN-2003-0532; \
        classtype:web-application-activity; rev:1;)

This rules catch the response with the exploit's payload from 
the server that may change depending on the exploits so 
matching the CLSID of WSH does not detect the "vulnerability" 
beeing exploited but this specific exploits.

Altought there are many way of exploiting this vuln without 
using the Window Scripting Host, it's possible to use it in 
many way like:

- VBScript


- JavaScript  

  new ActiveXObject("WScript.shell"); 

or like in the demostration with the <object> tag .

The only way to detect it is to look at the data sent by the 
client beeing exploited ( which can probably bypassed with 
fancy mhtml base64 encoded e-mail or with an e-mail with a 
link to a site available in https )

For an effective signature we need a regexp that will catch 
everything that start with <object, reach the field data= and 
look at the end of the string inside 
"" matching everything that's NOT an unsafe extension ( .exe, 
.pif, .cab, etc, etc ) .

In perl should be something like:

   ( tnx Md ) 



Fabio Pietrosanti ( naif )
E-mail: fabio () pietrosanti it - naif () s0ftpj org - 
naif () sikurezza org PGP Key available on my homepage: 
- --
Security is a state of being, not a state of budget. rfp 
- --

Version: PGP 8.0


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]