Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "New monthly chats after the release of each monthy security bulletin"
• Maybe in reply to: http-equiv_at_excite.com: "POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III"
• Next in thread: Ron: "Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Sat, 8 Nov 2003 10:37:49 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Kurt Seifried wrote Friday, November 07, 2003 4:38 PM

> In other words no good methods for enumerating CLSID's seem to exist.

Doesn't HKLM\Software\Classes\(control name)\CLSID do the job OK?
You can also search HKLM\Software\Classes\ for the control name - it will
turn up another listing under (CLSID). This key is useful because it
specifies both the ProgID (specific version of the control) and the
VersionIndependentProgID if there is one.

Speaking of which, other ADODB.Stream control versions are listed in Classes
on machines that have been updated with various versions of MDAC:
ADODB.Stream.2.5
ADODB.Stream.2.7
etc.

These also work just fine in the malware script. Substitute
"Adodb.Stream.2.5" for "Adodb.Stream" in the script if the target machine
has ever had MDAC 2.5 installed - 2.7 is probably a better target because
IIRC it was a Critical Update that is likely to be installed on patched
machines. I'm too lazy to verify this.

This is not an additional vulnerability unless Microsoft somehow fails to
take these into acccount when they someday patch IE against http-equiv's
exploit, but it can be used to bypass overly explicit detection of
http-equiv's code. The CLSID for the version-specific object names is the
same as the version-independent ADODB.Stream, so the same kill bit entry
will kill them.

I think setting the kill bit for ADODB.Stream will cause collateral damage
in some environments. For instance Intranet ASP pages that incorporate file
downloads will be killed if the pages were build using ADO.

-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, *** covering, and bureaucracy are threatening to derail any
chance of making progress.
-----

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "New monthly chats after the release of each monthy security bulletin"
• Maybe in reply to: http-equiv_at_excite.com: "POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III"
• Next in thread: Ron: "Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]