RE: [Fwd: Re: AIM Password theft] VU#865940

From: CERT(R) Coordination Center (cert_at_cert.org)
Date: 09/24/03

  • Next message: CERT(R) Coordination Center: "Re: AIM Password theft VU#865940"
    Date: Wed, 24 Sep 2003 14:35:06 -0400
    To: "Thor Larholm" <thor@pivx.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----

    Thor Larholm <thor@pivx.com> writes:

    > This is just a simple exploit utilizing the Object Data vulnerability
    > discovered by Drew Copley, coupled with the GreyMagic no-script HTML
    > rendering as demonstrated earlier on this list and others by jelmer.
    >
    > Tell your user to go install MS03-032, which he obviously did not do as
    > MS03-032 patches this vulnerability. MS03-032 was released on August 20
    > and you can find it at
    >
    > http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

    At the present, the patch for MS03-032 breaks one of at least three
    exploit techniques. The patch does not resolve the vulnerability.
    MS03-032 acknowledges this. I have seen several examples of this
    vulnerability being exploited in the wild.

    > www.haxr.org contains the following HTML code (with <> replaced to []):
    >
    > [span datasrc="#oExec" datafld="counter" dataformatas="html"][/span]
    > [xml id="oExec"]
    > [security]
    > [counter]
    > [![CDATA[
    > [object data=tracker.php][/object]
    > ]]]
    > [/counter]
    > [/security]
    > [/xml]

    In particular, the current MS03-32 patch doesn't account for an HTML
    document created via XML/data binding:

      <http://greymagic.com/adv/gm001-ie/>

    The patch also does not account for an HTML document created via
    script:

      <http://www.securityfocus.com/archive/1/336616>

    Vulnerability Note VU#865940:

      <http://www.kb.cert.org/vuls/id/865940>

    Regards,

      - Art

                 Art Manion -- CERT Coordination Center
        <http://www.cert.org/> <cert@cert.org> +1 412-268-7090
             E0 1E DF F5 FC 76 00 32 77 8F 25 F7 B0 2E 2C 27

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 5.0i for non-commercial use
    Charset: noconv

    iQCVAwUBP3HlHDpmH2w9K/0VAQGBuQQAmrvGlHEXmMx48LhA2dQ/wK8XCqYaVYtD
    Y4FPmSvwqZ8phYKhT20Dh9sYGLWHbaJ3sfGA589MOLJwhpZ3aVlunLQ6GjLO1qje
    6dab5rVGdgTNzMC87YX2E7RB6uS4K8htL0MhN4LLvbHS402QEeNOhX+Fi2lsLkyi
    6uioMggI1Ms=
    =Jnmk
    -----END PGP SIGNATURE-----


  • Next message: CERT(R) Coordination Center: "Re: AIM Password theft VU#865940"

    Relevant Pages

    • Re: ??? MS03-040 Cumulative Patch for Internet Explorer (828750) ???
      ... > Does it fix this object data tag vulnerability or not? ... > This is a flaw in Microsoft's primary contribution to HTML, ... > only **doesn't** fix that vulnerability, Microsoft dont even acknowledge ... > The patch addresses the vulnerabilities by ensuring that Internet ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Bulletin: MS03-040 Cumulative Patch for Internet Explorer (828750)
      ... Does it fix the object data tag vulnerability or not? ... This is a flaw in Microsoft's primary contribution to HTML, ... <end quote> ... The patch addresses the vulnerabilities by ensuring that Internet ...
      (microsoft.public.security.virus)
    • ??? MS03-040 Cumulative Patch for Internet Explorer (828750) ???
      ... Does it fix this object data tag vulnerability or not? ... This is a flaw in Microsoft's primary contribution to HTML, ... <end quote> ... The patch addresses the vulnerabilities by ensuring that Internet ...
      (microsoft.public.windowsxp.security_admin)
    • Cross-site scripting in Samizdat 0.6.1
      ... Patch: http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch ... Samizdat 0.6.1 contains several code paths that fail to escape special HTML ... Samizdat 0.6.2 includes a fix for this vulnerability. ...
      (Bugtraq)
    • Rdoc allowing arbitrary HTML
      ... I just really needed this for footnotes and some fun in my rdoc. ... I thought I will share this patch which seems to work. ... if you include %html into your rdoc and create anything else than html ... visitor.accept_pure_html(am, fragment) ...
      (comp.lang.ruby)