Author Topic: Blocking selected codebase functions  (Read 10375 times)

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« on: March 22, 2002, 05:17:46 PM »
updated 2002-08-23, current code is here

Hi

Here is a simple filter to block certain codebase functions.
I post this under security since "codebase" doesn't mean only flash,
but can do about anything.

[Blocklists]
List.BlockClassIDs= "..ListsBlockClassIDs.txt"

[Patterns]
Name = "Kill selected ClassIDs"
Active = TRUE
Multi = TRUE
Bounds = "(<object&$NEST(<object,</object>)|<object*</object>)|$NEST(<script,</script>)"
Limit = 4096
Match = "*$LST(BlockClassIDs)*"

An here is the content of my BlockClassIDs.txt so far:
# MSN Messenger
clsid:F3A614DC-ABE0-11d2-A441-00C04F795683
clsid:FB7199AB-79BF-11d2-8D94-0000F875C541

# Active-x Dialer
clsid:8522F9B3-38C5-4aa4-AE40-7401F1BBC851

So long
sidki

Edited by - sidki3003 on 23 Aug 2002  02:01:14
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #1 on: June 23, 2002, 08:24:05 PM »
Here is an updated version:

[Blocklists]
List.ClassIDs = "..ListsClassIDs.txt"

Name = "<object> Remove: Specific ClassIDs"
Active = TRUE
Bounds = "(<object*</object>)|$NEST(<script,</script*>)"
Limit = 4096
Match = "*$LST(ClassIDs)*"
Replace = "<span class=prox style=display:none;>[ClassID killed: 9]</span>"

------- ClassIDs.txt -------
# For use with Specific ClassID Remover
#

(clsid:F3A614DC-ABE0-11d2-A441-00C04F795683|
<indent!> clsid:FB7199AB-79BF-11d2-8D94-0000F875C541)
<indent!> $SET(9=MSN Messenger)

(clsid:8522F9B3-38C5-4aa4-AE40-7401F1BBC851|
<indent!> clsid:018B7EC3-EECA-11d3-8E71-0000E82C6C0D)
<indent!> $SET(9=Active-x Dialer)

clsid:0006F063-0000-0000-C000-000000000046
<indent!> $SET(9=Outlook View Control)
----------------------------

<indent!> means please indent

sidki

 
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #2 on: June 27, 2002, 03:18:09 PM »
Another one from http://www.jedi.claranet.fr/ .
I love this site, it has so many traps .

<object ID="dosIE-doe"
CLASSID="CLSID:00022613-0000-0000-C000-000000000046" </object>

That's the "Multimedia File Property Sheet" ID. Don't know why, but it crashes my IE.

So i added this to ClassIDs.txt:

clsid:00022613-0000-0000-C000-000000000046
<indent!>  $SET(9=dosIE-doe)


sidki


 
 

pooms

  • Jr. Member
  • **
  • Posts: 75
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Blocking selected codebase functions
« Reply #3 on: June 27, 2002, 04:04:42 PM »
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #4 on: June 27, 2002, 04:27:26 PM »
Thanks. To mention it here as well, only Windows 2000 and XP are affected.


 
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #5 on: July 14, 2002, 08:17:55 PM »
Big update .

[Blocklists]
List.ClassIDs = "..ListsClassIDs.txt"

[Patterns]
Name = "Remove: Specific ClassIDs"
Active = TRUE
URL = "$TYPE(htm)"
Bounds = "<object*(</object>|>)|$NEST(<script,</script*>)|<xmls*</xml>"
Limit = 12000
Match = "*(clsid(("{|:)|ClassID="{)$LST(ClassIDs)*"
Replace = "<center><span class=prox style=display:inline;>[ClassID killed: 9]</span></center>"

Name = "JS Kill: Specific ClassIDs"
Active = TRUE
URL = "$TYPE(js)|$TYPE(vbs)|$TYPE(oth)"
Limit = 64
Match = "(clsid(("{|:)|ClassID="{)$LST(ClassIDs)"
Replace = "
THIS SCRIPT HAS BEEN KILLED BY JS CLASSID FILTER (9).k"

------- ClassIDs.txt -------
# NoAddURL
# For use with Specific ClassID Remover
# IDs by sidki and JarC
# sidki 2002-07-12
# updated 2002-08-23

### ------------------------------- Not for Everyone -------------------------------

## Messengers
F3A614DC-ABE0-11D2-A441-00C04F795683 $SET(9=MSN Messenger.1)
FB7199AB-79BF-11D2-8D94-0000F875C541 $SET(9=MSN Messenger.2)
41695A8E-6414-11D4-8FB3-00D0B7730277 $SET(9=Yahoo Messenger)

## Plugins
FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 $SET(9=RealOne Player)
31B7EB4E-8B4B-11D1-A789-00A0CC6651A8 $SET(9=Cult3D plugin (application/x-cult3d-object))

# Still in Use?
9F4D2FA2-54A1-11D1-8267-00A0C91F9CA0 $SET(9=gotobar Class)

### ------------------------------ /Not for Everyone -------------------------------
### ---------------------------------- Annoyances ----------------------------------

## Adware/Trackware
1678F7E1-C422-11D0-AD7D-00400515CAAA $SET(9=CometCursor Class)
19DFB2CB-9B27-11D4-B192-0050DAB79376 $SET(9=eZula TopText.1)
C03351A4-6755-11D4-8A73-0050DA2EE1BE $SET(9=eZula TopText.2)
84B71424-B020-11D4-B198-000102C6D473 $SET(9=Spedia Surf+)
60B25924-C865-11D2-B0C1-000000000000 $SET(9=HotBar)
75D2080B-4857-4B96-9B7D-732634FBD01F $SET(9=HotBar2)
B195B3B3-8A05-11D3-97A4-0004ACA6948E $SET(9=HotBar Browser Helper Object)
BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52 $SET(9=BrowserToolbar)
67925165-C4B6-11D2-B9C6-0000E84F59A6 $SET(9=Brilliant Digital (application/x-bdescript))
51958169-D5E3-11D1-AA42-0000E842E40A $SET(9=Brilliant Digital (application/x-b3dmovies))

## Dialers
8522F9B3-38C5-4AA4-AE40-7401F1BBC851 $SET(9=Active-x Dialer.1)
018B7EC3-EECA-11D3-8E71-0000E82C6C0D $SET(9=Active-x Dialer.2)
A45F39DC-3608-4237-8F0E-139F1BC49464 $SET(9=Active-x Dialer.3)
C771B05E-E725-4516-97A5-4CE5EB163CFB $SET(9=Active-x Dialer.4)
15C3C7A4-9676-11D3-9799-0060087190B9 $SET(9=Active-x Dialer.5)
1D2DCA0D-B30F-40AD-9690-087105F214EC $SET(9=Active-x Dialer.6)
10A1B95D-5E35-4935-8BC3-D43E81E8105E $SET(9=Active-x Dialer.7)
DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C $SET(9=Active-x Dialer.8)
E8EDB60C-951E-4130-93DC-FAF1AD25F8E7 $SET(9=Active-x Dialer.9)

### --------------------------------- /Annoyances ----------------------------------
### ----------------------------------- Security -----------------------------------

# http://www.guninski.com/vv2xp.html
0006F063-0000-0000-C000-000000000046 $SET(9=Outlook View Control)

# http://online.securityfocus.com/archive/1/278786
00022613-0000-0000-C000-000000000046 $SET(9=dosIE-doe)

# http://online.securityfocus.com/archive/1/259018
11111111-1111-1111-1111-111111111111 $SET(9=XMLid.Exploit)

# http://online.securityfocus.com/bid/598/exploit/
06290BD5-48AA-11D2-8432-006008C3FBFC $SET(9=Object TLB scriptlets)

# Trojan.JS.Clid.gen
# http://online.securityfocus.com/archive/1/200109
F935DC22-1CF0-11D0-ADB9-00C04FD58A0B $SET(9=WSH Shell Object)
F935DC26-1CF0-11D0-ADB9-00C04FD58A0B $SET(9=WSH Network Object)
0D43FE01-F093-11CF-8940-00A0C9054228 $SET(9=FileSystem Object)

# Office Web Components (OWC)
# http://sec.greymagic.com/adv/
0002E500-0000-0000-C000-000000000046 $SET(9=Office Chart.1)
0002E556-0000-0000-C000-000000000046 $SET(9=Office Chart.2)
0002E510-0000-0000-C000-000000000046 $SET(9=Office Spreadsheet.1)
0002E551-0000-0000-C000-000000000046 $SET(9=Office Spreadsheet.2)
0002E553-0000-0000-C000-000000000046 $SET(9=Office DataSourceControl)

# http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00207.html
25336921-03F9-11CF-8FD0-00AA00686F13 $SET(9=HTML Object)

### ----------------------------------- /Security -----------------------------------
------- /ClassIDs.txt -------

/sidki


Edited by - sidki3003 on 23 Aug 2002  02:00:10
 

altosax

  • Sr. Member
  • ****
  • Posts: 328
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #6 on: July 14, 2002, 08:41:34 PM »
hi sidki,

the filter "Remove: Specific ClassIDs" has these bounds:

quote:

Bounds = "<object*(>|</object>)|$NEST(<script,</script*>)|<xmls*</xml>"



but i have doubts about its ability to match <object>this_content</object> because the filter always find first the closing > of the <object> tag. i haven't tested it yet, but i think you have done. i'm right or wrong?

regards,
altosax.

 
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #7 on: July 14, 2002, 09:08:58 PM »
Hi altosax,

I came up with these object bounds to cover the above (PostID=2678) situation and this

<object ID="ayb" CLASSID="CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D">

as well. With the normal code

<object id="oCS9" classid="clsid:0002E500-0000-0000-C000-000000000046"></object>

it will leave behind a useless </object>. So it works but isn't a very elegant solution.

edit: you are right, it doesn't cover <object>this_content</object>.
I didn't come across an example for this case yet, but maybe it's out there.
Let me know if you have an idea to improve the bounds match .

regards, sidki


Edited by - sidki3003 on 14 Jul 2002  22:17:56
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Blocking selected codebase functions
« Reply #8 on: July 14, 2002, 10:11:08 PM »
Nice update sidki.

Would, "<object*(</object>|>)" work?

--------
Infopros Joint :: Computer Related Links And Discussion

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #9 on: July 14, 2002, 10:26:55 PM »
Hi JD, thanks

Just tested it. It acts like above "<object*(>|</object>)".

sidki

 
 

altosax

  • Sr. Member
  • ****
  • Posts: 328
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #10 on: July 14, 2002, 11:27:03 PM »
quote:

Let me know if you have an idea to improve the bounds match.



try this:
Bounds = "<objects*>(*</object>|)

it would remove the offending code regardless of the position where is placed the clsid.

regards,
altosax.


Edited by - altosax on 15 Jul 2002  00:31:14
 

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #11 on: July 14, 2002, 11:59:40 PM »
Hi altosax,

Seems to be a difficult thing.

Here is what i place into the test window (1st one is fictive):

<object ID="dialer">CLASSID="CLSID:8522F9B3-38C5-4aa4-AE40-7401F1BBC851" </object>
<object ID="dosIE-doe" CLASSID="CLSID:00022613-0000-0000-C000-000000000046" </object>
<object ID="ayb" CLASSID="CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D">
<object id="oCS9" classid="clsid:0002E500-0000-0000-C000-000000000046"></object>

result with "<object*(>|</object>)":

<object ID="dialer">CLASSID="CLSID:8522F9B3-38C5-4aa4-AE40-7401F1BBC851" </object>
<center><span class=prox style=display:none;>[ClassID killed: dosIE-doe]</span></center>
<center><span class=prox style=display:none;>[ClassID killed: Active-x Dialer2]</span></center>
<center><span class=prox style=display:none;>[ClassID killed: Office Chart1]</span></center></object>

result with "<objects*>(*</object>|):

<center><span class=prox style=display:none;>[ClassID killed: Active-x Dialer1]</span></center>
<center><span class=prox style=display:none;>[ClassID killed: dosIE-doe]</span></center>

Don't know why it won't catch the other two.

regards, sidki


 
 

altosax

  • Sr. Member
  • ****
  • Posts: 328
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #12 on: July 15, 2002, 12:16:46 AM »
probably it needs <object>something_here</object>, try this one:

Bounds = "<objects*>(*</object>|</object>|)"

hope this works,
altosax

 
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Blocking selected codebase functions
« Reply #13 on: July 15, 2002, 12:31:24 AM »
"<objects*>(*</object>|)" Does seem to work, if you test..

<object ID="dialer">CLASSID="CLSID:8522F9B3-38C5-4aa4-AE40-7401F1BBC851" </object>
<object ID="dosIE-doe" CLASSID="CLSID:00022613-0000-0000-C000-000000000046" </object>
<object ID="ayb" CLASSID="CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D">
<object id="oCS9" classid="clsid:0002E500-0000-0000-C000-000000000046"></object>

One at a time, it matches each one...

--------
Infopros Joint :: Computer Related Links And Discussion

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking selected codebase functions
« Reply #14 on: July 15, 2002, 01:40:19 AM »
Oh yes, that was it. Thanks guys.
Don't know though what happens if these exploits come in a bundle.
OTOH the only site i know that does that is Jedi/Sector One (claranet).

Edited by - sidki3003 on 15 Jul 2002  02:55:25