Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: SUPER SPOOF DELUXE Re: Microsoft and Security
From: "http-equiv () excite com" <1 () malware com>
Date: Thu, 1 Jul 2004 20:35:55 -0000

Yes of course.

Two tiny problems though:

1. your little scriplet doesn't work for me. I get:

'W.frames.2.location' is null or not an object

2. If as you claim this is "standard practice" then there is 
something wrong with these browsers as it apparently does not 
work on them:

The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux


Perhaps someone who really knows will enlighten us all.

Thor Larholm <thor () pivx com> said:

From: http-equiv () excite com [mailto:1 () malware com] 

Your subject makes it sound like this is a spoofing 
vulnerability when
in fact this is expected functionality that has been around 
Netscape 2 and IE3 which does not grant additional privileges 
of any
kind and requires the user to activate WindowsUpdate from your 

Here's a quick and dirty demo injecting malware.com into 
windowsupdate.microsoft.com :)

Your script opens a new window and then uses a timer to change 
location of whatever window object has focus. This does not 
security zone or even protocol, all it does is to load your 
site into a
subframe of another site. You can accomplish the exact same 
trying to 'trick' anything by using the following 2 lines:

W.frames[2].location.href = "http://pivx.com/";;

This is no different than loading WindowsUpdate in a frame on 
your own

It has always been standard practice that you can change, but 
not read,
the location of any window object to a site from the same 
protocol and
security zone. A frame is a window object and all window 
objects are
safely exposed because they by themselves does not reveal any
information about the site inside the frame. You can get a 
handle of any
window object to any depth because the frames collection is 
also safely
exposed. This does not give you any kind of access to the 
object inside, which would be necessary for any kind of code 
or cookie theft.


Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
thor () pivx com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
-----Original Message-----
From: http-equiv () excite com [mailto:1 () malware com] 
Sent: Tuesday, June 29, 2004 11:41 AM
To: bugtraq () securityfocus com
Cc: NTBugtraq () listserv ntbugtraq com
Subject: SUPER SPOOF DELUXE Re: [Full-disclosure] Microsoft 
and Security

Thomas Kessler was kind enough to inform that this is not new, 
but in
fact on old "issue" with Internet Explorer which by all 
accounts was
supposed to be "patched" back in 1998[?]:

Microsoft Security Program: Microsoft Security Bulletin (MS98-
020) Patch Available for 'Frame Spoof' Vulnerability


Quite clearly this contraption known as Internet Explorer is 
broken. It's oozing pus from every pore at this stage.

If indeed the issues are the exact same. 

You'd better wipe hands of it anyway.

We give up.



Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]