RE: Tectonic Shifts

["Brass, Phil (ISS Atlanta)" <PBrass () iss net>]

You wouldn't necessarily have to replace the windows update installer
ActiveX control, if you could get it to download and install unsigned
files (for example if there was a vulnerability of some sort in the
control).  

My friend Justine found a stack buffer-overrun in an ActiveX control my
team wrote that was related to using one of the standard MS macros to
convert COM strings to C strings (if you dig deep enough you find it
uses alloca).  So if you sent a parameter from the HTML page to the
control that was over 64k in size (less on some machines) you could run
code on the client.

If a hypothetical vulnerability like this did exist, and you could
exploit it without hozing IE, and control content on the server, then
you could probably apply a crack to the download signature-checking
mechanism in the control, and add a new "patch" record that pointed to
somewhere else.  If you did this at the right time (3am is the default
for the scheduled downloads) you might get control of a lot of servers
and workstations.

With this vulnerability, you could work out the ActiveX control stuff
ahead of time, then either find a new IIS 0-day or act as soon as one
came out to take over the server, figure out whatever little XML file
they use to show you updates, add your update in, and start getting it
distributed.

Phil

> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com 
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
> Blue Boar
> Sent: Wednesday, December 10, 2003 1:01 PM
> To: Stefan Wagner
> Cc: dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Tectonic Shifts
>
>
> Stefan Wagner wrote:
>
> > On Wed, Dec 10, 2003 at 10:36:38AM -0500, Dave Aitel wrote:
> > > computer, I have to assume that Windows Update has been 
> owned at least 
> > > once.
> > At least once by 'Code Red': 
> http://www.attrition.org/mirror/attrition/2001>
/07/19/windowsupdate.mic
> > rosoft.com/
> > I don't know if M$ started applying their own patches or 
> not since then, doubt 
> > beeing owned by a worm says anything about security :>
>
> Right, it got wormed.  But, does owning Windowsupdate do you any good 
> without the signing key?  Sure, I imagine there are some 
> significant number 
> of people who will click whatever for the unsigned code, but 
> then you could 
> be windowsupdate with some DNS games.
>
>                                               BB
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com 
> http://www.immunitysec.com/mailman/listinfo/da> ilydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave