Author Topic: Yet another IE vulnerability...  (Read 5474 times)

dave1006

  • Full Member
  • ***
  • Posts: 113
    • ICQ Messenger - 92066376
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Yet another IE vulnerability...
« on: February 12, 2002, 10:00:10 PM »
Check out http://home.austin.rr.com/wiredgoddess/thepull/funRun.html and if the problem affects you, hopefully this web page filter should sort it out:
(The vulnerability allows websites to open, run and read various files on your harddrive - At time of posting (12/02/02) there is no patch available)

Name = "Codebase Localpath"
Active = TRUE
Multi = TRUE
Bounds = "{*}"
Match = "*(CODEBASE="[a-z]:/|open("file:///::)*"
Replace = "{
}
"



Edited by - dave1006 on 12 Feb 2002  22:04:26
dave
dave at smokeajay.co.uk

Zhen-Xjell

  • Jr. Member
  • **
  • Posts: 98
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://laudanski.com
    • Email
Yet another IE vulnerability...
« Reply #1 on: February 13, 2002, 06:21:26 PM »
When I visit that page, I cannot click the links.  They don't work.


Jor

  • Sr. Member
  • ****
  • Posts: 421
    • ICQ Messenger - 10401286
    • AOL Instant Messenger - jor otf
    • Yahoo Instant Messenger - jor_otf
    • View Profile
    • http://members.outpost10f.com/~jor/
    • Email
Yet another IE vulnerability...
« Reply #2 on: February 13, 2002, 06:33:25 PM »
Yet another reason to stay away from MSIE... this "nice feature" works on my 2000 system

Opera, of course, is not affected...

 
 

RLD

  • Newbie
  • *
  • Posts: 20
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Yet another IE vulnerability...
« Reply #3 on: February 13, 2002, 06:39:24 PM »
quote:

When I visit that page, I cannot click the links.  They don't work.





Did you watch the text on the screen when you clicked on the words.
I saw text disappear like a plain white box had popped over the page.
It only happened over the first set of words.

 
 

Zhen-Xjell

  • Jr. Member
  • **
  • Posts: 98
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://laudanski.com
    • Email
Yet another IE vulnerability...
« Reply #4 on: February 14, 2002, 05:38:20 AM »
There is trickery and then there is the real deal.  Some security sites make users think their data is being read by them, when in fact it is a local read.


xartica

  • Newbie
  • *
  • Posts: 38
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Yet another IE vulnerability...
« Reply #5 on: February 14, 2002, 07:31:34 AM »
I just started messing with a downloaded copy of the page referenced.
So far, I haven't been able to find anything realy "tricky" to with it.
With 'codebase', I don't think arguments can be passed. This:

CODEBASE="c:/windows/explorer.exe /n,/e, f:"

didn't work when I tried it. Considering that both the call to C:cmd.exe and to cleanmgr.exe completely lockup my PC(Win98SE; MSIE5.5 SP2), it's something that I want to filter against... and the first time I locked up my PC by clicking, I sure felt "exploited"!

(I'm laughing at myself ~~
  "Doctor, when I stick a fork in my eye, it hurts...")



 
 

xartica

  • Newbie
  • *
  • Posts: 38
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Yet another IE vulnerability...
« Reply #6 on: February 14, 2002, 09:33:01 PM »
Paul, the exploit is real; it's not 'trickery'.

Mona posted a msg today
http://groups.yahoo.com/group/prox-list/message/10010

pointing to a news article
http://www.securityfocus.com/news/327
which reports that this new MS patch STILL doesn't
fix all the previously-reported vulnerabilities.

(sigh)
 

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Yet another IE vulnerability...
« Reply #7 on: March 03, 2002, 01:31:48 PM »
Here is also a working filter:

[Patterns]
Name = "Break JavaScript CLASSID Use"
Active = TRUE
Limit = 80
Match = "CLSID:([#0:*])1"
Replace = "CLSID:DISABLED_1_DISABLED"

And a test page here:

http://security.greymagic.com/adv/gm001-ie/


Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Yet another IE vulnerability...
« Reply #8 on: March 22, 2002, 04:31:33 PM »
Hi all

Unfortunately it isn't that easy. Here is the code snippet from
http://www.krypton3d.com/xp/

<SCRIPT language=JScript>

var programName=new Array(
   'c:/windows/system32/logoff.exe',
   'c:/winnt/system32/logoff.exe'
);

function Init(){
   var oPopup=window.createPopup();
   var oPopBody=oPopup.document.body;
   var n,html='';
   for(n=0;n<programName.length;n++)
      html+="<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' CODEBASE='"+programName[n]+"' %1='r'>
</OBJECT>";
   oPopBody.innerHTML=html;
   oPopup.show(290, 390, 200, 200, document.body);
}

</SCRIPT>

But I was lucky:

<Match: Onload unloader >
onload=
</Match>
LoadOff="Init()">

As you know, the CLSID is Hex, so "CLSID:ABCDEF0..." does the same thing.
I have no idea either, since I don't want to completely block the codebase function.

So long
sidki3003


 
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Yet another IE vulnerability...
« Reply #9 on: March 22, 2002, 06:34:39 PM »
OK, two workarounds.

The first is already published at
http://security.greymagic.com/adv/gm001-ie/
but in a rather cryptic way.

Target: adjust the security settings of the "My Compuer Zone".
1. Making the zone accessible:
Go to
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones
and change the value "Flags" from whatever to "3" (Hex).
Now you have a new entry in Internet Explorer under
Tools -> Internet Options -> Security called "My Computer"
2. Changing the critical value:
Select "My Computer" and push "Custom Level..."
In "My Computer" there is an option "Download unsigned ActiveX controls".
Select "Disable" or "Prompt".

The second solution is installing the latest Norton Antivirus Definition File,and getting used to running the realtime scanner.

NAV will come up with an alert:
Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: XMLid.Exploit