Old Proxomitron Forums

Proxomitron Filters - Discussions welcome => Security => Topic started by: dave1006 on February 12, 2002, 10:00:10 PM

Title: Yet another IE vulnerability...
Post by: dave1006 on February 12, 2002, 10:00:10 PM
Check out http://home.austin.rr.com/wiredgoddess/thepull/funRun.html and if the problem affects you, hopefully this web page filter should sort it out:
(The vulnerability allows websites to open, run and read various files on your harddrive - At time of posting (12/02/02) there is no patch available)

Name = "Codebase Localpath"
Active = TRUE
Multi = TRUE
Bounds = "{*}"
Match = "*(CODEBASE="[a-z]:/|open("file:///::)*"
Replace = "{
}
"



Edited by - dave1006 on 12 Feb 2002  22:04:26
Title: Yet another IE vulnerability...
Post by: Zhen-Xjell on February 13, 2002, 06:21:26 PM
When I visit that page, I cannot click the links.  They don't work.

Title: Yet another IE vulnerability...
Post by: Jor on February 13, 2002, 06:33:25 PM
Yet another reason to stay away from MSIE... this "nice feature" works on my 2000 system

Opera, of course, is not affected...

 
Title: Yet another IE vulnerability...
Post by: RLD on February 13, 2002, 06:39:24 PM
quote:

When I visit that page, I cannot click the links.  They don't work.





Did you watch the text on the screen when you clicked on the words.
I saw text disappear like a plain white box had popped over the page.
It only happened over the first set of words.

 
Title: Yet another IE vulnerability...
Post by: Zhen-Xjell on February 14, 2002, 05:38:20 AM
There is trickery and then there is the real deal.  Some security sites make users think their data is being read by them, when in fact it is a local read.

Title: Yet another IE vulnerability...
Post by: xartica on February 14, 2002, 07:31:34 AM
I just started messing with a downloaded copy of the page referenced.
So far, I haven't been able to find anything realy "tricky" to with it.
With 'codebase', I don't think arguments can be passed. This:

CODEBASE="c:/windows/explorer.exe /n,/e, f:"

didn't work when I tried it. Considering that both the call to C:cmd.exe and to cleanmgr.exe completely lockup my PC(Win98SE; MSIE5.5 SP2), it's something that I want to filter against... and the first time I locked up my PC by clicking, I sure felt "exploited"!

(I'm laughing at myself ~~
  "Doctor, when I stick a fork in my eye, it hurts...")



 
Title: Yet another IE vulnerability...
Post by: xartica on February 14, 2002, 09:33:01 PM
Paul, the exploit is real; it's not 'trickery'.

Mona posted a msg today
http://groups.yahoo.com/group/prox-list/message/10010

pointing to a news article
http://www.securityfocus.com/news/327
which reports that this new MS patch STILL doesn't
fix all the previously-reported vulnerabilities.

(sigh)
Title: Yet another IE vulnerability...
Post by: Arne on March 03, 2002, 01:31:48 PM
Here is also a working filter:

[Patterns]
Name = "Break JavaScript CLASSID Use"
Active = TRUE
Limit = 80
Match = "CLSID:([#0:*])1"
Replace = "CLSID:DISABLED_1_DISABLED"

And a test page here:

http://security.greymagic.com/adv/gm001-ie/


Best wishes
Arne
Imici username: Arne
Title: Yet another IE vulnerability...
Post by: sidki3003 on March 22, 2002, 04:31:33 PM
Hi all

Unfortunately it isn't that easy. Here is the code snippet from
http://www.krypton3d.com/xp/

<SCRIPT language=JScript>

var programName=new Array(
   'c:/windows/system32/logoff.exe',
   'c:/winnt/system32/logoff.exe'
);

function Init(){
   var oPopup=window.createPopup();
   var oPopBody=oPopup.document.body;
   var n,html='';
   for(n=0;n<programName.length;n++)
      html+="<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' CODEBASE='"+programName[n]+"' %1='r'>
</OBJECT>";
   oPopBody.innerHTML=html;
   oPopup.show(290, 390, 200, 200, document.body);
}

</SCRIPT>

But I was lucky:

<Match: Onload unloader >
onload=
</Match>
LoadOff="Init()">

As you know, the CLSID is Hex, so "CLSID:ABCDEF0..." does the same thing.
I have no idea either, since I don't want to completely block the codebase function.

So long
sidki3003


 
Title: Yet another IE vulnerability...
Post by: sidki3003 on March 22, 2002, 06:34:39 PM
OK, two workarounds.

The first is already published at
http://security.greymagic.com/adv/gm001-ie/
but in a rather cryptic way.

Target: adjust the security settings of the "My Compuer Zone".
1. Making the zone accessible:
Go to
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones
and change the value "Flags" from whatever to "3" (Hex).
Now you have a new entry in Internet Explorer under
Tools -> Internet Options -> Security called "My Computer"
2. Changing the critical value:
Select "My Computer" and push "Custom Level..."
In "My Computer" there is an option "Download unsigned ActiveX controls".
Select "Disable" or "Prompt".

The second solution is installing the latest Norton Antivirus Definition File,and getting used to running the realtime scanner.

NAV will come up with an alert:
Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: XMLid.Exploit