Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

VML Exploits and IDP-AV Evasion
From: "Arsal, Ertunga" <EArsal () techdata de>
Date: Tue, 26 Sep 2006 18:00:01 +0200

Hello All, 


Do you think that the security products are getting more into creating an illusion of safety, thus making people more 
vulnerable? The issue is the vulnerabilities they are not able to catch properly. One of them is the recent vml 
exploit. Okay we know it there are millions of ways to create an html page that could execute, which means no signature 
would be reliable. 

I did a basic test. Just went to http://www.isotf.org/zert/testvml.htm with IE.
 
ISS Proventia blocked it. Tested without Proventia. This time Symantec AV caught it. Excellent!
 
Then I went to the second line: <html xmlns:v="urn:schemas-microsoft-com:vml" 
xmlns:o="urn:schemas-microsoft-com:office:office">
Changed it from "urn:schemas-microsoft-com:vml" to "urn:schemas-microsoft-com: vml" by putting one space and uploaded 
to a web server.

Proventia didn't catch a thing nor the Symantec av. IE crashed. 

So, what is the trend now? Having only protection against public test exploits? Is this only a publicity thing than 
proper protection?


Ertunga Arsal






 
 
 
 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]