Post Reply 
Exploit for unpatched IE vuln fuels hacker fears
Aug. 19, 2005, 08:59 PM
Post: #1
Exploit for unpatched IE vuln fuels hacker fears
http://securityfocus.com/news/11289

A filter for this exploit has been included in v4.37 of my Browser Security Pack. If you would like a standalone filter, here it is Wink

Code:
[Patterns]
Name = "IE: Msdds.dll Class ID Exploit Remover [Kye-U]"
Active = TRUE
URL = "(^$TYPE(css))"
Limit = 64
Match = "clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"
Replace = "$ALERT(Msdds.dll Class ID Exploit Removed on:\n\n\u)"
Visit this user's website
Add Thank You Quote this message in a reply
Aug. 19, 2005, 09:17 PM
Post: #2
 
Thanks, i'll also add it to my ClassIDs list. Smile!
Did you come across a testcase?

sidki
Add Thank You Quote this message in a reply
Aug. 19, 2005, 09:38 PM
Post: #3
 
http://isc.sans.org/diary.php?date=2005-08-18

Look in the section: "How do I recognize a web page which contains exploit code?"

Their example is incorrect.

Here is a correct example:

Code:
[object classid="clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"][/object]

(change the square brackets to pointy brackets)

Their example is missing the "clsid:" portion.

Here is a proper PoC:

http://www.securitytracker.com/alerts/20...14727.html
Visit this user's website
Add Thank You Quote this message in a reply
Aug. 20, 2005, 09:35 AM
Post: #4
 
The Perl script from your last link worked fine! The compiled page also grabs a huge amount of memory in my browsers btw.

Anyway, for those using the ClassIDs list, here is the new entry for its "Exploits" section:
Code:
# http://www.securitytracker.com/alerts/2005/Aug/1014727.html
# -----------------------------------------------------------------------------
EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F $SET(9=DDS Library Shape Control)

sidki
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: