Re: HijackClick 3

• Previous message: Russ: "Microsoft against people with disabilities?"
• Maybe in reply to: Drew Copley: "Re: HijackClick 3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 13 Jul 2004 11:04:01 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

> From: Drew Copley
> In fact, I don't think there has been a bug in about ten
> months (coincidentally) that does not rely on either Jelmer's
> adodb bug or your shell.application bug.

I'm sorry, but did everybody suddenly forget about codeBase command
execution? Use a non-existant GUID for your OBJECT's classid and point
the codeBase attribute to the executable you want launched.

You should know about codeBase, seeing as you posted about it under the
handle "the Pull" back in 2002.

http://groups.google.com/groups?selm=a20b3k%242i50%241%40FreeBSD.csie.NC
TU.edu.tw
http://groups.google.com/groups?selm=20020116183201.24698.qmail%40web125
07.mail.yahoo.com

Well technically, you also posted about it in 200 and gave proper credit
to Dildog.

http://groups.google.com/groups?selm=3957CA3E.9BA80AB0%40yeahright.com

codeBase has been the basis of most IE exploits before we started using
AD+ODB or Sh+ell (obfuscation inline to accommodate lame content
filtering), and GreyMagic repeatedly expanded on it to execute without
scripting.

http://www.greymagic.com/security/advisories/gm001-ie/

The codeBase attribute allows command execution from the My Computer
zone and you can mitigate against it by either completely disabling
ActiveX in that zone or setting it to only allow administrator approved
ActiveX controls. The latter will solve the functionality regression
problem that e.g. MMC and Norton Antivirus will have since both of these
rely on executional privileges given by the My Computer zone. This is
also the approach we took in Qwik-Fix ( http://qwik-fix.net/ ).

You can circumvent the initial restrictions on codebase through a series
of Refresh's.

> Microsoft can remove the threat from all users right now, today,
> and issue a fix. We won't see criminals using these things
> to grab people's money tommorrow. We won't see hundreds of articles
> critical of their browser. We won't see devious, targetted
> attacks on bank employees or anyone else.

Microsoft could blacklist the Sh+ell.App+lication object and still be no
better off. They could fix codeBase and I am sure we would find new
vulnerabilities in IE. The problem is the attempt to separate
executional privileges for mobile code based on its origin, the only
zones IE should have should be the Internet Zone and Restricted Sites
zone. Any privileges that you could ever need in the My Computer zone
can safely be used from an HTML Application by embedding MSHTA instead
of IEXPLORE.

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: Russ: "Microsoft against people with disabilities?"
• Maybe in reply to: Drew Copley: "Re: HijackClick 3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]